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VOLUME VII 
IN THE UNITED STATES ARMY 

UNITED STATES 
VS. 

MANNING, Bradley E., PFC COURT-MARTIAL 
U.S. Army, xxx— xx— 9504 

Headquarters and Headquarters Company, 

U.S. Army Garrison, 

Joint Base Myer— Henderson Hall, 

Fort Myer, VA 22211 

/ 

The Hearing in the above— entitled matter was 
held on Monday, June 17, 2013, commencing at 1:35 p.m., 
at Fort Meade, Maryland, before the Honorable Colonel 
Denise Lind, Judge . 
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DISCLAIMER 

This transcript was made by a court reporter 
who is not the official Government reporter, was not 
permitted to be in the actual courtroom where the 
proceedings took place, but in a media room listening 
to and watching live audio/video feed, not permitted to 
make an audio backup recording for editing purposes, 
and not having the ability to control the proceedings 
in order to produce an accurate verbatim transcript . 

This unedited, uncertified draft transcript 
may contain court reporting outlines that are not 
translated, notes made by the reporter for editing 
purposes, misspelled terms and names, word combinations 
that do not make sense, and missing testimony or 
colloquy due to being inaudible by the reporter. 
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PROCEEDINGS, 

(Reconvened at 1:35 p.m.) 

THE COURT: Were there any issues we need 
to address before we proceed? 

MAJOR FEIN: All parties in the court last 
recess are present. 

THE COURT: Thank you. 

MAJOR FEIN: United States offers to be 
read on to the record Prosecution Exhibit 137, a 
stipulation of expected testimony for Mr . Maxwell Allen 
dated 16th June 2013. 

(stipulation being read) . 

THE COURT: I have a question for you. I'm 
looking at Prosecution Exhibits 138, 139, they're not 
legible . 

MAJOR FEIN: At the next recess the United 
States will look 138 and 139 and get a clearer copy. 

THE COURT: Prosecution Exhibit 141 for 
identification is admitted. Prosecution Exhibit 140 
for identification is admitted. 

CAPTAIN MORROW: Your Honor, United 
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States offers Prosecution Exhibit 142 for 
identification . It ' s the stipulation of expected 
testimony for Staff Sergeant Peter Bigelow. 

THE COURT: I believe I already admitted 

that . 

(stipulation being read) . 
MR. MORROW: United States offers 
Prosecution Exhibit 143, stipulation of expected 
testimony for Special Agent Alfred Williamson dated 17 
June 2013. 

(stipulation being read) . 

MR. MORROW: Your Honor, at this time 
prosecution moves to admit Prosecution Exhibits 47, 48, 
144, 145, and 146, and 147 Alpha, and 148 Alpha for 
identification into evidence . 

MR. HURLEY: No objection, Your Honor. 

THE COURT: So admitted. 

Prosecution Exhibit 148 Alpha is 
admitted. Prosecution Exhibit 147 Alpha is 
admitted. Prosecution Exhibit 147 Bravo for 
identification is admitted. Prosecution Exhibit 146 
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is admitted. Prosecution Exhibits 47 and 48 are 
admitted. Prosecution Exhibit 146 is admitted. 145 
is admitted. 144 is admitted. 

Any other exhibits I have failed to 

admit? 

MAJOR FEIN: That's it, Your Honor. 

THE COURT: At this time why don't we take 
a brief recess and I want to see counsel for just a 
brief second. 

Ten minutes sufficient? 

MAJOR FEIN: Yes, Your Honor. 

MR. COOMBS: Yes, Your Honor. 
(Hearing recessed at 2:10 p.m.) 
(Hearing resumed at 2:20 p.m.) 

MAJOR FEIN: Your Honor, there might be 
some confusion about Prosecution Exhibits 147 Alpha, 
147 Bravo, and 148 Alpha, and 148 Bravo. 

Prior to the recess United States moved 
to admit Prosecution Exhibit 147 Alpha or 148 Alpha. 
Those are the 20-page extracts from the two text 
files based of Special Agent Williamson's stipulated 
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expected testimony. 

In addition to that now United States 
moves to admit as 147 Bravo and 148 Bravo one page 
redacted versions of those 20 page extracts in order 
to be used in open court . 

THE COURT: Any objection? 

MR. HURLEY: No, ma'am. 

THE COURT: I'll visit those momentarily. 
Are there any other administrative 
issues that we have to address? 

MAJOR FEIN: No, ma'am. 

MR. COOMBS: No, Your Honor. 

THE COURT: Okay. 

Did you have an opportunity to look into 
I believe it was Prosecution Exhibits 138 and 139? 

MAJOR FEIN: United States is still trying 
to find a cleaner copy of those and we ' 11 bring it to 
it Court's attention as soon as we obtain them. 

THE COURT: Prosecution Exhibits 147B and 
148B are admitted. 

Please proceed. 
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MAJOR VON ELTEN: Your Honor, United 
States calls Chief Ronald Nixon to the stand. 
Whereupon, 

CHIEF RONALD NIXON, 
called as a witness, having been first duly sworn to 
tell the truth, the whole truth and nothing but the 
truth, was examined and testified as follows: 

DIRECT EXAMINATION 
BY MAJOR VON ELTEN: 
Q Your Honor, Chief Ronald Nixon, Army cyber 

unit? 

A Yes, sir. 

Q What is your current position? 

A My current position, I'm senior warrant 

officer in the Enterprise Management Division G32 Army 
cyber command . 

Q What does that entail? 

A We manage literally all the Army networks 

from secret level and below across the Enterprise which 
is across the global scope to include tactical and 
strategic systems . 
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Q What is the Enterprise? 

A The Enterprise is the — Enterprise is the 

network as whole . The Army refers to it as the land 
(INAUDIBLE) but it is the network all encompassing. 

Q What position did you hold prior to this 

one? 

A Prior to that one I was the senior warrant 

officer in plans and operations division G6 
(INAUDIBLE) . 

Q What did that entail? 

A Very similar duties, a tactical scale. So 

support the combat operations, planning operations, 
services, management and network design. 

Q Where were you? 

A At Fort Hood. 

Q What certifications do you possess? 

A CCMP, cisco assist co-certified CCMB, CCMA 

CCM security CCM (INAUDIBLE) and CIS group. 

Q What are the CC in certifications? 

A Cisco certified network and then 

professional associate and associate security and 
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associate voiceover IP . 

Q What do those certifications signify? 

A An understanding and tested understanding 

of network architecture and design, engineering, and 
management . 

Q What is CISSP? 

A It ' s really the current industry standard 

for securing an information assurance. 

Q What is the level of technical access and 

review of the DoD 8578? 

A Level 3. 

Q Is what the highest level? 

A Level 3 . 

Q What certification is required for that? 

A It requires a technical skill set which 

would be higher been a CCNA and then a policy piece 
which would be my CISSP. 

Q Let ' s talk a little bit about your last 

time in Iraq? 

A Yes is. 

Q What was your position there? 
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A I was the senior warrant and the planning 

and operations (INAUDIBLE) . 

Q When were you there? 

A I was there from February of '09 to 

February of '10. 

Q What did that position entail? 

A Network engineering, design, planning for 

operations, support for the entire theater of Iraq. 

Q What is USFI? 

A That ' s the four star ' s headquarters . That 

was created when they combined MNFI and MNCI into a 
joint four star headquarters, rolling up the I corps, 
the corps headquarters (INAUDIBLE) . 

Q Let ' s talk about the global address list . 

What is that? 

A The GAL, global address list, is are 

talking about the global address for a user server or 
are you talking about the global address list as a 
whole? 

Q As a whole . 

A The global address list is a product from 
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the active directory global address list which 
everyone, every person who has an account has access to 
that domain and every machine that ' s added to that 
domain is cataloged. 

Q What is the global address list for a user? 

A The global address list for the user is the 

interface that most of them see through Outlook and 
what that is in a sense is a phone book . It is a phone 
book equivalent for all of your services out there, but 
it does contain user's e-mail, any alias e-mail 
accounts, any pertinent information that would be added 
for the ease of the user . So it helps me find your 
phone number and things like that . 

Q Until how many people were on the USFI GAL 

in 2009/2010? 

A 160,000. 

Q What server was that accessible on? 

A Across a run of servers. You're able to 

access the GAL through — for an exchange you'll be 
able to access the GAL through Outlook (INAUDIBLE) also 
for the system administrator you will be able to access 
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the GAL through Outlook on his machine and also for a 
system administrator he would be able to access the GAL 
through either the exchange server or the active 
server, the domain controller. 

Q What type of information does the GAL 

contain? 

A Again, from an individual user perspective, 

so I can't for (INAUDIBLE) as an example would have the 
pertinent information for you when you first set up 
your account, when you were added to the domain, any 
alias addresses you would have, for instance, you would 
have in Iraq, you would have the Iraq.centcom.mil plus 
if you have your (INAUDIBLE) .mail attached to that 
account and you set an account or a CENTCOM joint 
account, things like that, for the individual user; but 
it also contains the additional — when you're looking 
at the GAL from that directory standpoint . It also 
contains all of the additional security information 
user name, password, certificates that are attached to 
that, and then anywhere they sit within the (INAUDIBLE) 
domain structure . 
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Q You talked about active directory what is 

active directory? 

A Active directory is — active directory is 

the directory service that all Microsoft servers use to 
be able to talk and interconnect with one another . 
Prior to active directory exchange, exchange, for 
instance, used to have (INAUDIBLE) . They created an 
active directory to combine all of those services 
together, to join them all at one place so it allows 
all of the servers to be able to crossing communicate 
so SharePoint file servers exchange things like that 
that are all allowed to talk it sets the permission of 
what they're allowed to talk to. 

Q What is a directory of service? 

A So directory service is my category for 

servers to be able to talk to another one without 
getting too technical, it really is just — so, for 
instance, my domain control my active control says that 
I am allowed to talk to this division or this corp at 
these levels and then establishes the trust 
relationship between them. 
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Q What is the purpose of active directory? 

A Active directory is the core backbone for 

all directory services for Microsoft exchange server . 
So for a brigade, for division level exchange server to 
be able to talk to somebody else within USFI they would 
have to be able to access those primary active 
directory, that directory itself (INAUDIBLE) to do 
those cross talks . 

It ' s also a certification process if you 
wanted to be able to access another type of server 
SharePoint that checks your credentials (INAUDIBLE) yes 
Captain might not be able to do these things and this 
is what he's able to do. 

Q What credentials does it show? 

A Well, depending on how you're (INAUDIBLE) . 

For Iraq user name and password was the primary means 
of credentials . 

Q What are permissions? 

A Permissions are, what am I allowed to do on 

a set system or server. So primary example is, user 
services . By Army regulations DODI CJCSI regulations 
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(INAUDIBLE) a user is only allowed to do certain things 
on his machine . 

He ' s allowed to access the Internet . He ' s 
allowed to open up and (INAUDIBLE), but you're not 
allowed to install anything on your machine as a user . 
You can ' t even update your machine any more . 

Q How does active directory support security? 

A By a couple of different ways . One is it 

sets everything up in a domain structure. So basically 
it tells you (INAUDIBLE) what can talk to you, what can 
you talk to around within the network. 

It sets and manages by permission levels 
for my individual user, my system administrator and my 
network administrators, then it also controls the trust 
relationship between the different domains . So that 
trust relationship is a exchange of information from 
one domain or one set of servers, to put it simply. 

So from USFI to 1st Calvary Division, the 
domain control is established and maintain that 
relationship, kind of like a traffic cop. 

Q How does the active directory interact with 
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the GAL? 

A So your active directory for — so let ' s 

take it from a GAL perspective of the user. 
Q Okay . 

A Okay. So GAL perspective from the user, 

I ' m an e-mail Internet exchange and I log on to 
Outlook . The GAL I see from that is a product of the 
active directory GAL . It is then basically it ' s what 
the exchange server pulls to create the GAL. So it is 
a direct product of the active directory global address 
list. 

Q How does active directory interact with the 

GAL from a system administrator perspective? 

A From the system administrator perspective 

(INAUDIBLE) lot into a system as a system 
administrator, the active directory says, Chief Nixon 
is allowed to add programs to the software. 

I'm allowed to push updates. I'm allowed 
to do things that in order to affect change to that 
insurance or affect change on the server or the network 
within that rule set because of the dangers of system 
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administrative (INAUDIBLE) to what approval so I'm now 
allowed to have access to e-mail, and I don't have 
access to an e-mail account while being the system 
administrator . 

Q What software does a user use to interact 

with the GAL? 

A Primarily would be Outlook . It ' s where 

they see it the most often. 

Q Do you how many people created the NIPR in 

USFI? 

A Reword the question, please, or ask it a 

di f f e r ent way . 

Q How many people are involved with 

developing it initially? 

A The initial development of the GAL for USFI 

took place over the years. Multinational (INAUDIBLE) 
MR. HURLEY: Objection. 
Is that personal knowledge? 
THE COURT: Do you want to develop a 
foundation for that? 

MAJOR VON ELTEN: We'll move on, Your 
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Honor . 

BY MAJOR VON ELTEN : 

Q Let ' s talk about the resources that go into 

creating and (INAUDIBLE) the GAL. What hardware does 
the network did the GAL use for the network? 

A So for the GAL primary active directory and 

exchange structure in Iraq for NIPRnet, you had four 
nexus backbone switches, two for the primary and two 
for the back up group and then you have a stack of 64 
server suites that supported the primary site, and 
after that you also had all the normal network 
infrastructure cable (INAUDIBLE) switches, outside 
equipment . 

Q What is a nexus switch back . 

A The nexus switch is a five channel high 

speed (INAUDIBLE) switching backbone used to support 
the back of your server (INAUDIBLE) servers to be able 
to communicate in no (INAUDIBLE) . 

Q How many does the NIPRnet use? 

A Four, two on the primary and two on the 

backup site . 
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Q What is the cost? 

MR. HURLEY: Objection, hearsay. 
THE COURT: Sustained. 
BY MAJOR VON ELTEN : 
Q Were you involved in contracting for the 

backbone service? 

A Yes . I was the technical oversight for the 

DRS contract at the (INAUDIBLE) of the USFI services in 
Iraq. 

Q Who managed the hardware? 

A Who managed the hardware? We had a 20 to 

24 contracted personnel that worked in the services 
section within the JNCCI, one warrant officer, one 
major, and five or six enlisted personnel. 

Q How much time did they spend working on 

this? 

A 24/7 365, no breaks. 

Q What was your interaction? 

A I worked with them on a daily basis for 

planning administration and fulfillment of requirements 
for services across all Iraq. 
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Q How many servers did the GAL require for 

NIPRnet? 

A The GAL itself would have been present 

on — well, the active directory itself. So you're 
talking about (INAUDIBLE) that comes into that physical 
server suite of 64 servers that we used to maintain and 
run NIPRnet within Iraq. 

Q How many of those servers were physical 

servers? 

A I'm talking about 64 physical servers, 

virtual servers is over a hundred. 

Q What is a physical server? 

A Physical server is a Dell or whatever brand 

of (INAUDIBLE) that you actually put your hands on and 
hold. Hardware, hard drive memory, processor, I can 
actually put my hands on and touch. 

Q What is a virtual server? 

A Is a software driven and software created 

server. Use visualization sayings to be able to reduce 
the amount of physical overhead you have as far as 
power and things like that . Power and physical 
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requirements for the servers it also allows you to 
share resources if you have a failure in one I can 
replicate back up to another with no loss of service. 

Q How many contractors worked on the server? 

A We had those 25 to 24 contracted personnel 

are the same ones that did the maintenance and 
(INAUDIBLE) . 

Q Now often were those contractors working on 

the servers? 

A 24/7 365 always. 

Q Who paid their salaries? 

A The salaries were paid out of the USFI 

funding . 

MR. HURLEY: Objection, hearsay. 
BY MAJOR VON ELTEN : 
Q Is that from your personal knowledge? 

A Not a fact , out of the budget . 

THE COURT: How do you know that? 
THE WITNESS: The (INAUDIBLE) of USF over 
sizes for the (INAUDIBLE) . 

THE COURT: Sustain the Objection. 
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Go ahead . 

BY MAJOR VON ELTEN : 

Q What's your involvement in budgeting. 

A In budgeting itself, none. I didn't do a 

budget, per se . It was over technical oversight and 
management of the contract . 

Q How did you — did you manage cost? 

A I had oversight on cost . I didn ' t — I 

wasn't a yes or no person on that, but we managed so 
something was cost prohibitive or something like that 
we would (INAUDIBLE) but we saw all functions of the 
contract . 

Q What cable did the GAL use? 

A The server infrastructure used a massive 

amount of cabling between the primary and secondary 
sites, and all of the cabling in structure and 
(INAUDIBLE) basis and every insulation you have to 
switch infrastructure (INAUDIBLE) . 

Q What the (INAUDIBLE) account GAL require? 

A The server infrastructure at USFI was in 

excess of 100,000 thousand tons of cooling and power. 
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Q What is does that mean? 

A Well, you equate — so when you cool your 

house you have a number of BTUs it takes to cool your 
house. Your standard wall air condition is 15,000 
BTUs. You buy a 15,000 BTU at Wal-Mart. 

We're looking at (INAUDIBLE) and take that 
and multiply it by 2,000, but it's the actual physical 
cooling requirement for the servers and all of the 
networking equipment that ' s supported inside of that 
building . 

Q What of transmission infrastructure did the 

GAL use? 

A Well, the GAL used server infrastructure of 

Iraq used two sonic rings that moved in and around 
Baghdad and north and south had a sonic ring and you 
had a satellite structure backup. 

Q Let ' s talk a little bit about the software . 

What software did the backbone servers require? 

A Well, the backbone servers required your 

Microsoft suite of servers. So we ran (INAUDIBLE) to 
2003 and 2008 across Iraq Enterprise licenses for those 
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and you had exchange the active directory. 

So that would be four core backbone 
services that we've talked about here and your 
management consoles and all of the supportive structure 
for that and antivirus host based firewalls and those 
(INAUDIBLE) . 

Q What is virtual (INAUDIBLE) software? 

A So in Iraq we used (INAUDIBLE) wire aid to 

do creating a virtual environment for services and 
services stacks within Iraq. So you run a virtual 
environment . So it allows me to create multiple 
servers on a single platform to be able to share my 
resources . 

Q What server software was used? 

A Well, we used server 2000, we used 2003 and 

2008, and then the active directory software that was 
used management console and exchanges itself. 

Q How many licenses were required? 

A They ' re Enterprise licenses . So depending 

on how you purchase from Microsoft at the time you 
purchase an Enterprise license and based on the number 
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of systems . 

For instance, let's take the NIPRnet . We 
ran 120, 130 instances of Microsoft Exchange to be able 
to support — Microsoft server 2003 or 2008 to be able 
to support 160,000 customers. 

Q How many licenses did active directory 

require? 

A It would have been the same thing, very 

similar. Again, same thing and you buy an Enterprise 
license (INAUDIBLE) but then I have to buy myself 
(INAUDIBLE) software based on a number of (INAUDIBLE) 
that you have to be able to support . So in that case 
it would have been about 160,000. 

Q What kind of maintenance did the GAL 

require to keep it current? 

A Well, of course, you've got secure web 

dates and you've got your daily (INAUDIBLE) . So any 
time an update comes out from Microsoft you have to 
able to maintain security or maintain (INAUDIBLE) on 
the platform. 

So you have Microsoft at least once a week 
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and for antivirus and securities sometimes daily. 
Q Who updated the GAL? 

A Again, updating the GAL are we talking 

about from a update perspective or are we talking about 
from a content perspective? 

Q First from an update? 

A Same 20, 24 contractors and the military 

staff who worked in the JNCCI for USFI . 

Q Who updated the GAL from a content 

pe r spe ct ive ? 

A From a content perspective you ' re updates 

were done from all across the board. We have local 
system administrators who would create (INAUDIBLE) , 
your help desk, and then you've got your overall 
maintenance of the GAL that would have been active 
directory or exchange which would have been done at 
USFI . 

Q How often — how many people were involved 

with updating content? 

A Well, from USFI perspective, we're talking 

at same 20 to 24 personnel plus enlisted staff but that 
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doesn ' t count the ITT contract that is spread out over 
Iraq that (INAUDIBLE) all of our help. 

Q How often do your military staff work on 

this? 

A All the time. 

Q How many? 

A Dozens, sir, because you have the strategic 

single (INAUDIBLE), and supported by the help desk. 
Then you have some type of military personnel sitting 
on top of you (INAUDIBLE) . Then you're talking USFI 
again. The USFI guys you're talking about Major 
(INAUDIBLE) and enlisted (INAUDIBLE) . 

Q How are updates pushed out to the GAL? 

A Updates to the GAL from again from a 

content service or from a — 

Q Content . 

A From a content point of view, they were 

done constantly. So, again, if somebody came into 
country the first time and the account was created then 
that update would have been done then, and there does 
take about 24 hours for the update to take place when 
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you ' re talking about from a content standpoint . 

Adding a machine to a domain, those are 
recurring costs of things that happen all the time . 
They've actually a day— to— day function, and then my 
maintenance updates would have pushed down from USFI, 
from contract to the military staff (INAUDIBLE) . 
Q How was GAL information stored? 

MR. HURLEY: Objection, Your Honor. 

MAJOR VON ELTEN: Resources prior to 
maintaining his evaluation? 

MR. HURLEY: I think we've (INAUDIBLE) 
resources to maintain the GAL . 

THE COURT: Go ahead. 

BY MAJOR VON ELTEN: 
Q How is GAL information stored? 

A For the physical storage of the GAL was 

maintained on the two, for the NIPRnet was NIPR and 
SIPRnet both on the installed at USFI headquarters . 
That ' s where the primary repository was and then you 
had servers at each and every instance of exchange 
order across Iraq. 
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Q What is the SAN? 

A SAN is storage area network. 

Q How much does a SAN hold, how much storage? 

A Ours was in the hundreds of terabytes . 

Q How many (INAUDIBLE) are required for the 

NIPR? 

A Two, one primary at the one primary at USFA 

headquarters and one another the (INAUDIBLE) . 

MAJOR VON ELTEN: Retrieving Prosecution 

48. 

MAJOR VON ELTEN. 

Handing Prosecution Exhibit Number 48 to 

the witness . 

MAJOR VON ELTEN: 
Q Chief Nixon, do you recognize this? 

A Yes, sir. 

Q What is it? 

A It ' s a CD that says GAL on it . 

Q Have you reviewed it? 

A Yes, sir. 

MAJOR VON ELTEN: Retrieving Prosecution 
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exhibit (INAUDIBLE) I'm handing it to the court 
reporter. Retrieving Prosecution exhibit 148 Bravo and 
handing it to the witness . 

MAJOR VON ELTEN: Permission to publish. 
THE COURT: Proceed. 
BY MAJOR VON ELTEN: 
Q Do you recognize this Chief Nixon? 

A Yes, sir. 

Q What is it? 

A This is the — this is the output of a GAL 

pool from one of the foreign exchange servers at USFI . 
Q How do you know? 

A The ones I'm looking at if I look at the 

domain names they're all present on Iraq (INAUDIBLE) . 
So these were all the e-mails addresses that I stored 
(INAUDIBLE) transferred to GAL and, of course, the 
string, the way the string is set up (INAUDIBLE) that 
shows the SNPT string you can go to Outlook and look at 
bring up two, but the (INAUDIBLE) that would be the 
string you would see up there . 

Q What is a domain? 
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A A domain is the space that you're name 

space that you operate within a network. So in Iraq we 
use iraq.centcom.mil preference with that (INAUDIBLE). 
So the those are the operating spaces the named 
operating spaces that you operate in. So I each one 
that ' s different from another represents a domain that 
you had to have trust relationships to be able to talk 
or communicate across with another one. 

Q Retrieving prosecution 47. What 

(INAUDIBLE) handed you, Chief Nixon? 

A You ' re handed me a CD with GAL names on it . 

Q How do you know? 

A I've seen it before, sir. 

Q Retrieving Prosecution Exhibit 47 and 

retrieving Exhibit 137 Bravo. Do you recognize this? 

A Yes, sir. 

Q What is it? 

A This is the — this would be a the names 

that would you get . 

Q A GAL or the (INAUDIBLE) someone. For 

instance if you were looking at two if you find the 
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first part of somebody ' s name and hit control K that be 
what would you see . It ' s the users reference or 
interpretation of GAL information . 

What information is displayed in this? 
A Anything that entered is well standard for 

military is first name last name, rank, and then unit 
affiliation. So, again, you're able to tag somebody 
down to what unit they work at very quickly and easily. 

MAJOR VON ELTEN: Returning Prosecution 
Exhibit 137 Bravo. 

BY MAJOR VON ELTEN: 
Q What is a coop site? 

A It ' s a continuum operation sees the backup . 

Q What's its purpose? 

A For both military, for (INAUDIBLE) 

regulations and per combat operations in a war 
(INAUDIBLE) to have the ability to abandon all of your 
information. So for Iraq for the USFI services in 
Iraq, the Iraq in domains we created an installed to — 
allows a back — 

THE COURT: What it called? 
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THE WITNESS: Copy keeper. AR500-3, I 

believe . 

BY MAJOR VON ELTEN: 
Q What resources are required for the coop 

site? 

A So for Iraq we had maintained real time. 

We had to maintain real time replication . So that ' s 
why the nexus fiber channel stitches switches were the 
primary ones you had for the backbone services . It 
basically requires similar storage, nearly the same 
operating the space and capacity for the physical 
serving environment . 

Q Who had access to the (INAUDIBLE) in Iraq? 

A From a user perspective . 

Q From a user perspective? 

A From a user perspective you had access to 

the call if your registered in the domain to have 
access . 

Q What people would have registered? 

A Only e-mail people with created accounts . 

So you've designed to use your agreement 
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being cleared to be able to do so and you had an 
account created. 

Q What people in the United States would have 

access to such (INAUDIBLE) ? 

A From the United States? 

Q Yes. 

A None . 

Q So what people in Iraq would have had 

access to the USFI? 

A The people who works on USFI domain? 

MAJOR VON ELTEN: Retrieving Prosecution 

Exhibit 48. 

BY MAJOR VON ELTEN: 
Q Chief Nixon, what information is on that 

CD? 

A It ' s the list of GAL e-mail traffic or the 

exchange pool from the exchange server in Iraq. So the 
e-mail information. 

Q How do you know? 

A As I said before, when it was up on the 

screen you can see — one is you can see all of the 
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Iraq domain name information on there, and the SMPT 
(INAUDIBLE) . Do you (INAUDIBLE) and you click e-mails 
you would actually see that would be the information 
you would see in there in that context box. 

Q How much access would have and how much of 

the (INAUDIBLE) would an individual user have access? 

A So within exchange Outlook gives you a set 

view. That would be the information that's provided 
for lack of a better term public consumption within the 
Iraq network. So name, contact information, those 
types of things, e-mails, if any groups that you belong 
to that would be the content that you would see . 

You wouldn ' t be able to see further 
information like what your permission set were or what 
OUs you belonged to or domain structure you belonged 
to. 

THE COURT: What? 

THE WITNESS: Each operating environment 
within your domain structure . 

BY MAJOR VON ELTEN: 
Q What does OU stand for? 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



A It escapes me right now, sir. 

Q How many of the 160,000 accounts could the 

individual user see who had access to the GAL? 

A All of them. So when I hit control K in 

Iraq at our IP headquarters, if I didn't put any 
information in there, I would (INAUDIBLE) approving all 
160,000 names. 

Q What if you worked at headquarters just on 

a (INAUDIBLE) . 

A If I was — let's take (INAUDIBLE) at 1st 

cav headquarters, (INAUDIBLE) with them on a regular 
basis (INAUDIBLE) so they would be able to search my 
GAL for a targeted individual, but they wouldn't 
necessarily see the USFI headquarters. 

So if you're within a division structure 
you would see 25 or 30,000 names within that 
infrastructure . 

Q How would a user access the other 13,000 

names? 

A You would have to search for them. As long 

as they're in the Iraq domain you would have to search 
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for them. It's not a automatic here you go and it's 
done . 

To keep from overloading the system, if you 
pulled out 160,000 names in Outlook, you know, you're 
just going lock your system up. So, you know, but do 
you have access to all of them? Yes . Can you actually 
pool and stream the rundown on all 160,000, no; but, 
yes, you have definitely have access to all of them. 

Q How many e-mail accounts were reflected on 

that CD? 

A I want to say it was about 24,000 were on 

that CD. 

MAJOR VON ELTEN: Retrieving Prosecution 
Exhibit 48. Retrieving Prosecution Exhibit 47. 
BY MAJOR VON ELTEN: 
Q How many names were on that CD? 

A This names on the CD matched the e-mail 

exchange list line for line. So it was — it was about 
24, 000. 

Q What names would be hidden from GAL in 2009 

and 2010? 
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A We didn't want to hide names. In fact, if 

you look at the names list, the first two names on the 
list is General Odierno and General Austin. 

Q Who were they at the time? 

A They were the preceding and incoming USFI 

commander. So the four star generals in charge of the 
theater of operation inside Iraq. 

MAJOR VON ELTEN: Retract the exhibit. 
BY MAJOR VON ELTEN: 
Q Why didn't the public have access to the 

NIPR GAL? 

A You don't want public assess to your GAL. 

It ' s not a — because of the information that ' s in 
there, I mean, I don't need anybody to have General 
Odierno ' s desk number let alone contact information and 
what groups they belong to and things like that it ' s a 
security issue. It's not a public consumption piece. 

From a technical perspective (INAUDIBLE) 
had to have access (INAUDIBLE) . The NIPRnet is not a 
public access network regardless of what people think. 

MAJOR VON ELTEN: Thank you. No further 
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questions . 

CROSS EXAMINATION 
BY MR. HURLEY: 
Q Good afternoon, sir. 

A How are you, sir? 

Q I'm good. Thank you. Let's start here. 

During your direct examination with Captain von Elten 
you called the active directory the backbone? 

A Yes . 

Q And the backbone is the resource intensive 

element to this, correct, that the server space, the 
personnel requiring, they're updating the active 
directory and they're working with the active 
directory? 

A Well, they work with all of the services. 

When you say backbone, does the (INAUDIBLE) . So 
it's — 

Q The anatomical analogy a little further the 

active directory with it ' s backbone just having a part 
of this integrated service? 

A I don't know if I would use that is 
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analogy, sir. 

Q It ' s a subset function of the active 

directory? 

A It ' s a direct product of the active 

directory the active directory GAL global address list 
a couple makings of everything that ' s exists within 
active directory as fast as all of my servers and users 
within active directory. So that's where all of that 
exists . So my exchange GAL is the direct product of 
that. 

Q You can turn off the global address list as 

part of the active directory? 

A What do you mean turn off, sir. 

Q You can just stop the function from 

occurring if someone asked for the global access list 
and it doesn't need to come up. That function doesn't 
need to be performed? 

A Yes, you cannot allow a user access to the 

GAL. 

Q But you in this hypothetical scenario you 

would still require that server space and resource to 
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maintain the active directory? 
A Yes. 

Q Let's talk about the GAL. This is during 

the period of your deployment, sir, and as I understand 
it that was in February of 2009 to February of 2010? 

A Yes. 

Q The GAL was always operational? 

A Yes, sir. 

Q And you use the GAL during this time? 

A Yes. 

Q And you never had a problem with it? 

A No, sir. 

Q No one ever — you never incurred any 

prolonged or sustained problems with the GAL during 
this period of time? 

A There ' s always outages across the network 

that size, but that would be — primary, no, the 
(INAUDIBLE) never went down hard, no, sir. 

Q And you don ' t recall any instruction on not 

to use the GAL, force wide, USFI wide, don't use the 
GAL on all personnel in USFI? 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



A No, sir. 

Q Now indicated there are 160,000 — when you 

say there are a 160,000 user IDs on the GAL, that was 
when you left in February of 2010. Is that where you 
pinpoint that 160? 

A Yes, sir. 

Q But Prosecution Exhibits 47 and 48, the 

disk, so there's 24,000 e-mail? 

A Yes, about that, sir. 

Q And the same 24,000 I mean are the same 

24,000 people are on 47 and 48? 
A Yes, sir. 

Q And that 24,000 you would agree with me 

substantially less than 160,000? 
A Yes, sir. 

Q A point about the information on there . 

The phone numbers that would be associated with the 
USFI GAL would be DSN numbers, correct? 

A Not all of them, sir. 

Q Some would be DSN? 

A You also had commercial cell phones . You 
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also had (INAUDIBLE) phone numbers that were tied to 
Iraqi commercial land lines that there would have been 
access to that . 

Q (INAUDIBLE) VOIP. 

A Yes, sir. 

THE COURT: What is VOIP. 
THE WITNESS: Digital voice. 
BY MR. HURLEY: 
Q Just a moment . You said the active 

directory performs other tasks besides the global 
address list? 

A Yes. 

Q It helps to establish shared drives? 

A Access to shared drives . 

Q And it helps with other network tasks? 

A Yes, sir. 

Q And one of the functions it ultimately is 

to produce the GAL? 
A Yes . 

Q And the GAL there ' s — I just want to make 

sure I get these terms right . There ' s a GAL as a 
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whole? 

A That ' s right . 

Q And there ' s a GAL that the user pumps when 

he says show meet GAL? 
A Yes. 

Q This wasn't your first deployment in Iraq, 

was it, Chief? 

A No, sir. 

Q So this — go along with this a little bit . 

I'm just going to give you what I understand of the 
process and you tell me where this isn't inaccurate. 
Soldier deploys? 

A Yes. 

Q Gets to post or station or whatever? 

A Yes, sir. 

Q And then there would be a lag posted time 

between when she gets there and her e-mail set up? 
A Yes, sir. 

Q And then eventually as we all hope and pray 

when we ' re in Iraq or Afghanistan there ' s a period of 
deployment ends and we redeployed? 
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A Yes, sir. 

Q For a period of time the GAL will still 

reflect someone who has redeployed — 

A Yes for a period of time. If things are 

done right it's usually 24 or 48 hours. If not we 
would run a script (INAUDIBLE) was inactive for longer 
than 90 days . 

Q And that was a task that was down to the 

lower level communications folks making sure that the 
24 to 48 hours? 

A The low level . The upper level — the 

overhead piece was the script for the 90 days for the 
(INAUDIBLE) . 

Q The same thing for someone had who had to 

leave in the middle of deployment never to return, you 
would hope that the lower level communications people 
would take them off, take them out of the active 
directory thereby taking them out of the GAL? 

A Yes, sir. 

Q That's the process, you get put into the 

active directory to get access to the system; is that 
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right ? 

A Yes, sir. 

Q And once you ' re in the system as user you 

can pull the GAL? 

A Yes, sir. It allows you to look on to your 

machine and you have visibility or access to the GAL. 

Q A GAL as taken at any particular point in 

time there would be people in country with just no 
e-mail access set up yet, that there would be people in 
country that just don't have their e-mail (INAUDIBLE) 
and going to have e-mail. Do you see what I mean? 

I just (INAUDIBLE) that period of time we 
were talking about where my e-mail account isn ' t set up 
yet? 

A You would have a run of personnel, yes. 

Been there for the first 24, 48, 72 hours, maybe up to 
a week, depending on the size of the file and the 
competency of the staff. You can be a little 
(INAUDIBLE) you can sit it around without access to the 
e-mail . 

Q Is that snapshot that was taken on a day of 
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those individuals, wouldn't be on? 

A It ' s a possibility, yes, sir. 

Q And the snapshot that was taken for that 

same day for people who redeployed but the information 
just hadn ' t come off the network? 

A Yes, sir. 

Q As we look at? 

MAJOR HURLEY: May I publish Prosecution 

147. 

THE COURT: Yes. 
BY MAJOR HURLEY: 
Q Prosecution Exhibit 148 Bravo. Direct your 

attention there . 

A Yes, sir. 

Q You indicated on direct that all of these 

e-mails were Iraq centric e-mails, correct? 
A Yes, sir. 

Q Now, if I'd linked up my AKO would it show 

it for any of these individuals? 
A No, sir. 

Q It wouldn't show it? 
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A No. 

Q Would it show it to any user that was 

accessing the GAL? 

A For instance, when we created your account 

if you saved (INAUDIBLE) this or, for instance, when 
you have an Enterprise e-mail account your Enterprise 
e-mail account is linked to your AKO. So it's tied — 
so if you were to look at this traffic if you were to 
look at this screen now if you can look at (INAUDIBLE) 
there you would see both this e-mail and that one, but 
your usarmy.mil of this domain (INAUDIBLE) of this 
domain unless that traffic (INAUDIBLE) . 

Q Typically speaking when you would pull — 

when a user woulds pull the user GAL, this is what 
you'd see? 

A Yes. 

Q And in February 2010 you wouldn't even see 

an AKO e-mail address up there? 
A No, sir. 

Q But now adays with mail.mil? 

A We did have a small number of personnel who 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



51 

had their e-mail accounts linked, a lot of a CENTCOM 
personnel. They had their e-mail accounts linked. So 
you to so if you Major Hurley had CENTCOM business and 
SFI business at the same time then we would have linked 
both of those e-mail accounts within that . 

Q And it would pull them up? 

A It would only pull them up your Iraq 

centric e-mail, sir. 

Q And at the time — at the time and this is 

February 2010, what we had back then were home stations 
e-mail accounts. Let's say I (INAUDIBLE) ? 

A The was not (INAUDIBLE) . 

Q And this was home station e-mail address if 

I deployed to Fort Stuart for Iraq that ' s not reflected 
up here, is it? 

A No, sir. 

Q And it wouldn ' t be reflected in the user 

GAL that you would pull the from Iraq? 

A Only if we had access to — if we were 

(INAUDIBLE) those other domains. For instance, if I 
could search CENTCOM 's GAL list by putting these people 
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are (INAUDIBLE) installed we had sync services with 
those services, the same with the divisions up to the 

(INAUDIBLE) USFI and down and they with some on syncing 
with the (INAUDIBLE) domain for Afghanistan and quite 
and Qatar you would be able to pull those as a user 
within the GAL to authenticated onto . 

Q You would have to pull them by name or 

would they come up? 

A You would have to do the search . I would 

have to say Hurley control K and then you would have 
gotten the guys in USFI and anybody we had in 

(INAUDIBLE) . 

Q Help my me understand. Correct me if I'm 

wrong, Chief. If you had this software and it's 
working normally once the active directory is 
established then the GAL function can occur; is that 
correct? 

A Yes, exchange pulls that GAL from active, 

correct . 

Q And that ' s as easy as pushing as button? 

A From a user perspective, sir, or from a 
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actual services management . 

Q From a user perspective? 

A From a user perspective, yes. 

Q Any particular user would have been the 

access to all groups inside the domain? 

A No, sir. 

Q And so the users access and the GAL that 

they pull would reflect the domains they have access 
to? 

A Yes, sir. 

Q So he wouldn ' t as the user in that he 

wouldn't have had access to the entire user GAL? 

A Access and visibility, sir, that's what I'm 

asking for access or visibility. Access, yes, as long 
as I'm doing sync with those other domains I can search 
and look. 

Q But — 

A But did you just do a control K and all 

populate, no, sir. They would require elevated level 
of (INAUDIBLE) to be able to do something like that. 

Q Just so I'm clear that all the resources 
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you talked about with Captain Von Elten they are 
required for (INAUDIBLE) entirety of the operations, so 
to build and maintain an active directory to do the 
other functions the active directory performs as well 
as to establish a global address list or GAL. 

A Yes, sir. It's in all encompassing 

servers. (INAUDIBLE) I don't have exchange without 
active directory or any of those other services . 

Q Now, you indicated, Chief, that the names 

on the CDs they matched each other? 

A Right. If you were go down to them like 

the first two on the top of the GAL General Austin and 
General Odierno on the other two it was also General 
Austin and General (INAUDIBLE) e-mail addresses. 

Q Did you compare those names or the 

information on that CD to the global address as of May 
of 2010. 

Q Did you personally do that? Did you 

personally compare the information you were getting on 
the CDs did you compare to it something other than what 
was on the CDs to what you knew the global address was 
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in 2010? 

A No, I didn't do anything else other than 

(INAUDIBLE) . 

Q So you didn ' t — logically you don ' t do a 

line— by— line comparison to those things and what was on 
the GAL? 

A No, sir. I could guarantee though those 

were both General Austin and General Odierno ' s e-mails. 
I had to deal with them on a regular basis . 

MR. HURLEY: Understand that, Chief. 
Nothing further, ma'am. 

THE COURT: Redirect, Major Von Elten . 

REDIRECT EXAMINATION 
BY MAJOR VON ELTEN: 
Q Chief Nixon, how many e-mails can somebody 

send if the exchange or network goes down? 
A None . 

Q If somebody downloads the entire GAL to a 

computer, how many e-mails can he send if the exchange 
or network goes down? 

A None . 
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Q When you reviewed the names on Prosecution 

Exhibit 47? 

A Yes, sir. 

Q Do you recognize other names? 

A Actually, there were a couple of system 

administrator names belonging to headquarters. If you 
go down the list a little aways there ' s a special camp 
Hosen is the list and then there's there were a number 
of group accounts that I recognized like the catfish 
account which was all of the air movement of the 
theater, a couple of fire brigades (INAUDIBLE) . 

Q Where were those people stationed tell you 

the truth? 

A They were all in Iraq. 

Q Were they part of USFI? 

A Well, actually they weren't part of just 

USFI, they were part of other organizations within 
Iraqi as a whole. They weren't actually USFI they 
belong to do all of Iraq different . 

Q Were they part of the GAL? 

A Yes, sir. 
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MAJOR VON ELTEN: Thank you. Nothing 



further . 



RECROSS EXAMINATION 



BY MR. HURLEY: 



Q 



Downloading, if a user wanted to download 



the GAL, was it prohibited? Let me rephrase my 
question . 

If a user wanted to download a GAL for his 
brigade, was that prohibited? 



to do that, sir. You would have to do a manual cut and 
paste process to even then it wouldn't be an easily 
executable process without outside software. It's not 
a user function to be able to download the GAL as a 
whole . 



do you want to specific access and visibility because 
they're two very different things? Visibility to the 
GAL as a whole within Iraq, yes, without a doubt to 
actually pull down and see all of the contextual 
information within the GAL as you were to pull down to 



A 



Normally a user wouldn ' t have the ability 



That 



s why when we had the conversations — 
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Excel (INAUDIBLE) is a very different entity, not a 
user level access task. 

Q Just to make sure I've got it all, Chief, 

there can be an active directory without a GAL? 

A Yes, sir. 

Q But there cannot be a GAL without an active 

directory? 

A No, sir. 

MR. HURLEY: Thanks. 

THE COURT : I have a few questions . Let me 
make sure I understand your testimony. So I have the 
active directory which you basically have set up all of 
the user account information goes in and it ' s 
structured to I guess keep it a certain way? 

THE WITNESS : It ' s just structured to make 
sure all of my servers are able to talk to one another 
across the network and maintain my relationships with 
other servers in other domains . The user bill is just 
a part of that active directory function . 

THE COURT: So the user bill would be, if 
I'm understanding your testimony, in an active 
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directory is structured such that users can go in and 
with control K access certain information about people 
who are part of the directory? 

THE WITNESS: Yes, ma'am. The exchange 
server. So you (INAUDIBLE) you're using Outlook, the 
exchange server pulls that information from active desk 
directory to present to you in a formatted that you ' re 
able to digest so you ' re able to use that is 
information . 

So if you hit control K and you see you 
and the other people with that the last name 
(INAUDIBLE) smaller search. 

THE COURT: Is it similar to Outlook today 
where if you check addresses or — 

THE WITNESS: All of that is different 
parts of the same functionality, ma'am. 

THE COURT: If you download say do a 
control K and you get all of the addresses, are you 
able to go to particular addresses when you click on 
their names, get the properties and other things at the 
top of the screen and then find out further information 
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about that from these addresses? 

THE WITNESS: Yes, ma'am. 

THE COURT: So if you push control K is it 
like a database thing? 

THE WITNESS: It's a quick key function, 
ma'am, for the same thing. That's all it is. If 
you're talking about if you bring up the two functions, 
you start typing in names, the same thing. Control K 
is just a quicker way to do it . That ' s all it is . 

THE COURT: Any follow-up questions 
based on mine? 

MAJOR VON ELTEN: No, ma'am. 

MR. HURLEY: No, ma'am. 

THE COURT: Temporary or permanent 

(INAUDIBLE) . 

MAJOR VON ELTEN: Temporary. 

THE COURT: Let me make sure I don't have 
any final questions here . I don ' t think I do . You are 
temporary excused. Please don't discuss your testimony 
or knowledge of the case with anyone but the lawyers or 
the accused while the trial is going on. 
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MAJOR FEIN: United States requested 

(INAUDIBLE) . 

THE COURT: Court is in recess until 3:30. 
(Hearing recessed at 3:20 p.m.) 
(Hearing resumed at 3:30 p.m.) 

Whereupon, 

CHIEF WARRANT OFFICER ARMOND ROUILLARD, 
called as a witness, having been first duly sworn to 
tell the truth, the whole truth and nothing but the 
truth, was examined and testified as follows: 

DIRECT EXAMINATION 
BY MAJOR FEIN: 
Q You are Chief Warrant Officer Armond 

Rouillard ruin of United States Army first IO command? 
A Yes, sir. 

Q Thank you. 

Chief, what is your current position at 
United States Army first IO command? 

A I'm the senior tech advisor for the 

Lieutenant commander for secretary bat first IO. 

Q What does it mean to be the senior tech 
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advisor? 

A To advise him on anything that affects the 

battalion mission . So one of our missions is the cyber 
op 4 teams, and we use them to test brigades that are 
getting ready to deploy through attack networking, 
attack methodology. And so I'm responsible for the 
training and maintenance of those guys . 

Q And is that the mission of the first IO 

command? 

A Yes, the vulnerability assessment of our 

networks for the Army. 

Q And I guess how broad or how comprehensive 

is that charter? 

A Pretty wide . Up until very recently they 

also managed the regional certs which are directly we 
have those based across the United States . So we have 
cert for conce for the United States in Fort Huachuca . 
We have one for the southern area . So first IO manages 
those guys and they ' re responsible for detecting 
attacks or responding to intrusions or unclassified 
spillages across networks . 
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Q What's a cert? 

A Computer emergency response team. 

Q And is that what the first IO command team 

does, still manages the certs? 

A Not any more. We assist with it, sir, but 

that mission is passed to the Army cyber, but we're 
still in the business of helping those guys, but we 
also have the Army's red team, blue team, green team. 
The guys that go out and help tactical units with 
network assessments for vunerabilities and bring guys 
in later to give them reports . 

Q And you just threw out three colors, red, 

blue, and green. Could you explain for the Court what 
a red, blue, and green team are? 

A So when a mission gets ready to deploy 

probably about nine months out or so they stand up all 
of their network systems and they prepare to deploy. 
And the first team they get is what we call a blue team 
which comes in and does an initial assessment . 

It will assess the network, go look for 
vunerabilities, find of them, figure out what their 
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general posture is because a lot of these systems 
fielded from PMs and they might have default 
configuration . 

We go through a process where the blue team 
comes out and does an assessment does and gives a 
report back to the commander . After they ' ve had a 
little bit then maybe a month or so then a green team 
comes out and does pretty much the same thing, will sit 
there and help the unit configure their equipment to 
meet the suggested configuration changes so they ' re not 
in default configuration protecting them from attacks . 

Later on probably three or four months 
before they deploy during an MRX or a war fight or some 
exercise they'll have the red team come out which is 
one of the final stages and the red team will simulate 
the enemy and try to attack their network through 
social engineering or other cyber attack type tools and 
then again they give a report back to the commander on 
how effective they were, what configuration changes 
they need. All of that happens at home station. 

The final part of that assessment is the 
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cyber op 4 teams which 2nd battalion first IO has and 
as the brigade is at JRTC getting ready to deploy they 
again stand up but the commanders now in his 
operational focus . 

We have the op 4 guys on site simulating 
enemy and trying to break into their systems to 
demonstrate to the commander what the affects of the 
cyber domain are . 

Q And you just used two other terms . Can you 

explain for the Court what you mean by attacks, prevent 
attacks? 

A Right . So we perform a lot of 

vulnerability assessment, looking at the networks or 
the configurations or of their network equipment or 
their services or Enterprise level conversations like 
active directory or exchange and we assess it for 
vulnerabilities to help them defend, better help them 
implement the appropriate configurations into their 
systems . 

Q And which networks are you talking about? 

A Prism SIPRnet . 
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Q What about NIPRnet also? 

A We do also assist with the assessment of 

those, primarily at CTCs they only scan up the SIPRnet, 
but the if they bring out a NIPRnet then we ' 11 also 
enter those . 

Q What is your current branch and MOS? 

A 255 sierra. 

Q What is that? 

A It ' s an information protection technician . 

So about 2008, 2007/2008 the Army realized that we had 
this cyber domain similar to air, sea, land. We also 
encountered a lot of combat in the cyber domain. 

So realizing we needed to fill that defend 
that gap the warrant officer corp assessed the signal 
warrant assess that had we needed to provide additional 
training to help our guys be the technical experts on 
the ground for protecting this domain. 

So created a 255 sierra MOS which is fed 
from the Alphas, the 255 Alphas, the 255 Novembers 
which are signal warrants. They're an assessment 
process . They have IA level 3 which requires a certain 
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level of certification. They submit a resume which is 
a, you know, a raw define skill set that they've worked 
in the information assurance field and then their given 
an assessment exam, and if they meet all of those 
requirements they come to Fort Gordon to the 255 sierra 
course and attend about six months in training on 
network defense capability such as forensics, perimeter 
defense, pen testing, which is that vulnerability 
assessment from the outside trying to attack into a 
network and looking for a way it can be exploited, 
incident handling and other cyber domain relates 
skills . 

Q And what year was the 255 sierra MOS 

created? 

A Officially we started flagging warrant 

officers at 255 sierra just this past year. We've been 
training them since 2009 or 2010 I believe, right 
around in that period. We started design of the course 
in about 2008 and I was one of the guys that they 
reached out and said, what needs to be in this course 
because I had been working the field for a while on 
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this when we asses we kind of did a lot of broad sweeps 
looking for what commanders were looking for, what were 
the holes that we can fill as signal warrant officers 
to fill that gab. 

It ' s been successful to the model to the 
point that the signal corp is now also developing 
similar tracks for our enlisted and for our officers . 

Q And what was your role, or excuse me, have 

you ever taught in the field of cyber security? 

A I have. So I was one of the eight 

selected — one of the initial instructors for the 255 
sierra course. A lot of especially in this type of 
field in the cyber field you have specialization . 

So my specialization was securing Windows 
environments and the pen testing area. 

Q And again what specifically is pen test, 

not to technically, just in layman terms? 

A To attack or assess a network from an 

external view kind of thing. So you're assessing that 
network posture looking for potential ways that an 
adversary can exploit it for their gain . 
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Q How long did you instructor, teach as a 255 

sierra? 

A Three and a half years . 

Q Are you still currently instructing? 

A I do actually . So I ' m twice a year I 

travel back down to Fort Gordon TDY and I teach the 
securing Windows block . 

Q What do you mean by securing Windows? 

A Part of our courseware is based on industry 

standards. Sands is a well known corporation for 
training in this field. So the Army uses sands 
training for portions of ensuring that our information 
protection warrants are trained properly and certified 
according to industry standard. 

So one of the courses we have is the 
securing Windows and preventing mallware which I'm 
responsible for . 

Q And you spoke about certifications, what 

type of certifications do you have? 

A I have a number of certifications . I 

started certifying as a system administrator. So I 
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have various Microsoft certifications in administration 
such as certificate 2003, 2008. I have exchange 
certifications for — and all the Microsoft 
certifications are based on knowledge and expertise and 
experience for whatever you've been certified in. 

In the cyber field I also have six GS 
certifications which are the certs that we use to 
standardize or training for the 255 sierras and some of 
those would be securing Windows, pen testing, incident 
handling, securing the perimeter and a couple of 
others . 

Q And what do you mean by securing the 

perimeter? 

A Securing the perimeter involves all of the 

network type gear that would be on the external part of 
a network . So you ' d have the user part of the network 
where a lot of computers plug in. You have the 
services part of the network where you've got your 
servers and your Enterprise level services such as 
SharePoint and exchange, and then you've got the 
perimeter with your firewalls and your intrusion 
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detection devices and router configuration and that 
kind of thing. 

Q What were are your duties or your 

assignment prior to being assigned to first IO command 
at Fort Belvoir? 

A Prior to that I was an instructor at Fort 

Gordon . Before there I worked at the Microsoft 
security response center for a year on a training with 
industry programs . 

So the military has a program where they ' 11 
take a green suiter, put us into a civilian 
corporation, and I had the luck of working at Microsoft 
in the place where they handle all of the zero day 
exploits that Microsoft works with, and a zero day 
exploit is something such as an exploit that they ' re no 
known patch for that vulnerability for yet and those 
are highly valuable . 

So the Microsoft security MSRC really 
taught me a lot how corporations deal with this threat 
of mallware or malicious software vunerabilities in 
their operating systems and how they respond to it and 
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how about they triage it and how their teams handle it 
at the program manager level type of thing. 

Then prior to — so walking backwards, 
prior to working at MSRC I ' ve been a system 
administrator at the BCT in the division level since 
' 94 and prior to that was phones . 

Q What about your experience with mail server 

certifications or e-mail certifications . 

A Since from '94 through — 1994 through 2007 

I ran Enterprise level services for the Army at the 
brigade and division level . That includes active 
directory exchange, SharePoint, update servers, client 
management, building the local network, configuring the 
local network . That kind of stuff . 

The easiest way to sum that up is 
commanders expect garrison style services in a tactical 
environment . So that ' s what we provide . 

Q In your current capacity what echelons do 

you currently work with within the command structure? 

A I'm not really sure — 

Q You had previously testified that you at 
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first IO command provide red team (INAUDIBLE) for 
support . At what level do you provide that support to? 

A Yes, sir. Any unit that requests it. So 

it would be anywhere from a strategic unit that ' s a 
base . It could be Fort Meade would request a pen test . 
It could be a command unit such as Army cyber . Army 
cyber may request a pen or it could be a single brigade 
combat team. So the scope ranges pretty wide. 

Q Have you deployed before? 

A Yes, sir. I deployed a couple of times. 

The last two deployments were with 1st cav into Iraq? 
2004/2005 and 2007/2008. I was one of the two senior 
warrant officers in the G6 for the division at MNDB. 

Q Who what was your role during those two 

deployments? What were your duties? 

A Me and my other chief we managed all of the 

Enterprise level services and the network that 
supported the 3,000 clients that were on Camp Liberty, 
and (INAUDIBLE) so first deployment we managed a active 
directory and exchange configuration for — I can use 
file names . 
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Q Yes. 

A Camp Fagi, Camp Felton, green zone and Camp 

Liberty tied all of those together in a single network 
that spanned the wide area network across Baghdad, and 
then the second deployment BCTs we assisted the BCTs in 
standing up their own domain level services . So we 
didn ' t have as much network traffic . 

Q When you say expand the wide area network, 

briefly explain what you mean? 

A Tactical networks when we put in tactical 

networks . It ' s very similar to a commercial network 
just a much more limited availability. So like Fort 
Meade is tied to Fort Belvoir across a network both 
with phone and with data, but in a tactical environment 
the Army has to put those systems in. 

So we have signal assemblages through 
satellite or on a site that will establish the 
conductivity which introduces some unique variables 
into signaling where we've got to manage band width a 
lot better than in a garrison environment, but it 
allowed us to connect — having all of the servers on 
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Camp Liberty for the first deployment allowed to us 
manage all of the users in one location rather than 
having them scattered across (INAUDIBLE) . 

Q Is that true for SIPR and NIPR. 

A Yes, sir, and CENTRIS . 

Q What is that? 

A We call it the blue network . So it ' s a 

network that ' s higher than unclassified but lower than 
SIPR that we share classified information with our 
coalition partners, whoever ' s in that area. There's a 
CENTRIS Iraq, there's a CENTRIS Afghanistan, there are 
separate networks that have a certain pool of coalition 
partners that ever access to that network. 

Q And earlier you said that when you set up a 

network technically you have to be concerned about 
limited availability. What do you mean by that? 

A Primarily the band width. So here to Fort 

Belvoir in a garrison environment we have a very large 
data pipes and it doesn ' t really matter what users do 
because the network will support it . 

In a tactical environment we try to 
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limit — we ' re much more cognizant of users on the 
network because it directly affects missions that are 
going on. If, for instance, I've got a lot of people 
surfing the web doing recreation browsing it may 
directly affect the commander battle update brief or it 
might affect a UAD theater or something else . So we ' re 
very aware of monitoring band width. 

Q When setting up this tactical network at 

least for NIPR, does that access to the information on 
NIPR network? 

A So who has access to NIPRnet? Just about 

ever soldier in the deployed environment who would have 
access to the computer. Most all of the computers are 
plugged into it . 

Q What is USFI? 

A That ' s when I was deployed it was the MNCI . 

That's U.S. forces Iraq. So that's what MNCI morphed 
into after my departure from the theater . It's 
basically what I call the corp headquarters . So it ' s 
the higher headquarters that manages all of the 
divisions in Iraq. 
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Q 



When you were in Iraq in 2008, what client 



did MNCI use to manage e-mail in Iraq? 



A 



They use Outlook. Outlook is the user 



client that resides on the work station . The Army has 
chosen to use Microsoft products for their Enterprise 
solutions. So the brigade, divisions, and corps and 
all of them are fielded for their Enterprise level 
services, Microsoft server for the user management, 
Microsoft exchanges for the mail, and Microsoft 
SharePoint for document sharing. Those are the primary 
three Enterprise level type services that you would 
encourage . 



the e-mail addresses available to a user to send e-mail 
to. 



Q 



What is a global address list or a GAL? 



A 



The global address list is a list of all of 



Q 



And what networks had a GAL in Iraq? 



A 



All three of them the NIPR, SIPR, and 



CENTRIS. 



Q 



Who had access at least to the NIPR? 



A 



Anyone who had — 
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MR. HURLEY: Personal knowledge. 
MAJOR FEIN: I'll ask a foundational 

question . 

BY MAJOR FEIN: 
Q When you were in Iraq in 2007 to 2008 who 

had access to the GAL? 

A Anyone with access to the NIPRnet that 

had — anyone who had assess to the NIPRnet that had a 
user account . 

THE COURT: How do you know that? 

THE WITNESS: Ma'am, all user accounts have 
an e-mail address and to get access to the GAL they 
just open up Outlook and the GAL is there . 

CAPTAIN TOOMAN: In 2007 and 2008 was not 
necessarily true in 2009 and 2010 which is the time 
frame at issue. 

THE COURT: Are you going to carry this 

over? 

MAJOR FEIN: I may ask additional questions 
for foundation . 

BY MAJOR FEIN: 
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Q How many years have you been working with 

Microsoft products dealing with e-mail? 

A Since Microsoft exchange I ' ve got five 

which would have been around '98, ' 99 I believe. 

Q Have you worked with you said Microsoft 

exchange at the time 5.5 or something and it ' s 
successors since then? 

A Yes. So 5.5 to 2000, 2003, to 2010, I'm a 

Microsoft trainer . So I constantly work with the 
Microsoft products. For the Signal Corp for the signal 
warrant officers I instruct a five— day block for 
exchange server . 

Q And in your current capacity or in your 

capacity as a trainer and your capacity at first cyber 
command do you have personal knowledge of the different 
types of — Microsoft Outlook and exchangers used 
across the Army on NIPRnet? 

A I am. 

Q Including and at the time Iraq and 

currently in Afghanistan? 

A Yes, sir. So the systems that the 
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brigades, divisions, and corp use is quality BCCS or 
battle command and control system. It's a system 
fielded by tactical battle command on all of the active 
duty signal units that provides their Enterprise level 
services . All of them are fielded the same . 

We train all of the soldiers at Fort Gordon 
on how to operate these systems . They have a general 
consistency on how they are configured and fielded. 

Part of that fielded is their active 
directory configuration and exchange configuration and 
so on, their SharePoint configuration. 

Q I'm sorry, Chief, was that true in 2997? 

A Yes, sir. 

Q Was that true in 2008? 

A Yes, sir. 

Q Was that true in 2009? 

A Yes, sir. 

Q What about 2010? 

A Yes . 

Q 2011? 

A Yes. 
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Q Today? 

A Yes, sir. 

MAJOR FEIN: Your Honor, probably 
foundation has been laid here on whether the witness 
knows whether Microsoft Outlook was used in Iraq during 
the time . 

THE COURT: Overruled. So why are we 
talking about 2007 and 2008? 

MAJOR FEIN: Ma'am, the only reason for the 
2007/2008 is simply to lay a foundation for Chief 
Rouillard being qualified as an expert in global 
address lists, their value, cyber threats. 

THE COURT: All right. You heard what the 
government wants to do. Are you going to object to 
this expert or? 

MR. TOOMAN: We are objecting. 

THE COURT: Foundation, relevance, 

overruled. 

BY MAJOR FEIN: 
Q Who had — who again going back to Iraq, 

who had access to the NIPR GAL in 2010? 
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A All personnel who worked in a staff 

environment or needed access to e-mail for their daily 
duties would have had access . Basically if they had an 
e-mail address and had an active account they had 
access to the GAL. 

Q Could any personal on there have access? 

A They could, but you would need a 

demonstrated I need to have. So we had a large number 
of soldiers in theater, a lot of soldiers were doing 
other duties that didn't require e-mail. So if they 
were on a team that kicked in doors or something like 
that or went out constantly they wouldn't necessary 
have an e-mail account . 

Q Who outside the Army or Department of 

Defense had access to it? 

A To our e-mail servers? 

Q Correct . 

A Nobody . 

Q How is a GAL created? 

MR. TOOMAN: Objection. 
THE COURT: Overruled. 
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THE WITNESS: So the GAL was just a list of 
e-mail addresses. I say just, but it's a list of 
e-mail addresses that ' s created automatically when 
mailboxes created for that user. When you go into an 
exchange server and create a user mailbox an e-mail 
address is created and added into a different portion 
of the exchange server . 

The exchange server takes all of those 
e-mail addresses, compiles them into what's called 
the GAL and creates a GAL for that server. In Iraq 
or in our deployed environment or even in the 
corporations connectors are put between different 
exchange servers . Those exchange servers , such as a 
brigade and its division, will then exchange a copy 
of their GALs to keep it simple . They exchange a 
copy of their GALs and then get one larger GAL with 
the division and the brigade and that happens up the 
chain so to speak. 

So MNCI or USFI that division GAL which 
has been build with all of the brigades in the 
division gets replicated to the corp level and now 
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that single corp level is replicated across . That ' s 
why you can sit in 2nd brigade 4 ID and e-mail 
somebody in 2nd brigade 1st cav who sit next to each 
other but are on different servers because they 
share a common GAL, and that's why we do it. 
BY MAJOR FEIN: 

Q So your very first step you said, once the 

user information is input, what do you mean by that? 

A So as certain users need access to active 

directory or an e-mail account . When that user account 
is created they're given an e-mail address. That 
e-mail address for us, for 1st cav, from 2003 to when I 
left and even now we train guys at track now we train 
them to use the AKO mail . 

So for instance myself my Army . rouillard, 
instead of being at usarmy.mail is at lCDArmy .mail . Do 
that for a number of reasons . If I have a bunch of 
John Smiths in the brigade that John Smith is the same, 
I don ' t have to worry about deconf licting it because 
AKO or the U.S. Army mail has already deconf licted all 
of that . 
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So if Captain Smith id John . smith there on 
AKO when he gets his account created in the brigade 
server he'll be John . smith3@2BCTlID . 

Q When you talk about account creation, who 

does that? 

A Normally the G6 help desk or the S6 help 

desk will do it or the tech guys, but it's most always 
in the S6, G6 area. 

Q So in order to have e-mails populate GAL 

what must a potential user do? 

A You must request and account . 

Q And then what happens with that request? 

A It's given to the G6 area, the help desk 

and they either approve it or disapprove it. If they 
approve it they create the account . 

Q And briefly how does an account get created 

by that individual soldier? 

A So there ' s two parts to it because there ' s 

active directory in exchange . So I have to create the 
active directory account first which normally was our 
help desk it would be Specialist stone was my guy. He 
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would sit down, open the terminal, open up the active 
directory management tool and create the user account 
from the request form that was filled out by the person 
requesting the account . 

It would have such things as first name 
last name, AKO mail address, unit you've worked in, any 
potential distribution lists you need to be on. 

Distribution list is just a collection of 
e-mail addresses I could e-mail quickly. So if wanted 
to e-mail command group I could e-mail command group at 
(INAUDIBLE) and it would go to everybody in that group. 
So you might have a number of those . 

So that active directory account gets 
created so that they can log into the domain and then 
an e-mail account is then created which creates a 
mailbox for them and gives them their actual mail 
address . 

Q So from receipt of the request form to 

completion of an e-mail account to population into the 
GAL, how much time is a single soldier or person 
spending on that one e-mail account on? 
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A If it's an individual one, probably 10, 15 

minutes from the time they get the form to filling out 
all the information to it populating. There are 
automated tools that allow us to do that that sometimes 
we ' 11 prep before we deploy so we ' 11 have spread sheet 
with a bunch of information already filled out and we 
can input it all at once, but historically it's been 
easier for us just to get the forms, fill it out from 
the form and put it in . 

Q What other resources other than the 

soldiers or civilians you just spoke about are required 
to create the GAL? 

A The soldiers work station in the help desk 

area that he's working on, the software that's running, 
and then the server resources that the account is being 
created. 

Q And again briefly what do you mean by 

server? 

MR. TOOMAN: We'll object on — 
THE COURT: Overruled. 
BY MAJOR FEIN: 
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Q And, in general, what are the different 

types of exchange server resources you ' re talking 
about? Please explain for the court? 

A So to run a server you have the physical 

box or the server itself. There's the power that 
supports the server. There's the room that the server 
has to sit in. There's the air conditioner that you 
have to buy to cool the servers, the network cabling 
all has to be built, network configuration, that has to 
occur to allow the servers to talk, and then there's 
also the update, the security configuration and all the 
management of that server. 

BY MAJOR FEIN: 

Q And when you talk about management of the 

server, what do you mean? 

A Anything from daily backups to reviewing 

logs for potential problems . With e-mail servers 
specifying you'll have — if you type an e-mail wrong 
it will hang in the queue, and with tactical networks 
that ' s an issue because it ' s trying to send out these 
mails and it ' s bouncing against the queue so it chugs 
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it up . 

So you'll go in and check your queue, make 
sure your queues are clear, make sure somebody is not 
sending out the 10 meg powerpoint slide, that kind of 
thing. So somebody will periodically go in there and 
review the outbound or the inbound queue or see if 
there ' s any trouble . 

Q Specifically what about for the GAL 

before — I'm sorry, let me ask you this. 

How do you separate the resources either 
physical resources, equipment, or the soldier resources 
from operating and maintaining and creating the GAL 
versus everything else you've just talked about the 
active directory and the other portions of Microsoft? 

A Corporations have separated that pretty 

well. They'll have active directory administrators. 
They'll have exchange administrators. They'll have 
very narrow lanes . For the Army we have a much more 
limited pool especially at the brigade and division 
level . So we train our guys how to do everything which 
gives them a much wider scope of authority, but their 
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workload increases which is okay because we work 12 to 
14 hours a day, especially deployed. So we don't care, 
but the same guy that creates the e-mail server account 
will create the active directory account, will also go 
in and set up the client ' s work station . So it may be 
one guy from receiving that request all the way to 
configuring the e-mail client . 

Q And going back to you testified just a 

moment ago about deconf licting issues, powerpoint 
slides that might be too big. About how much time does 
typically is a soldier dedicated to those tasks 
spending just to maintain the GAL? 

MR. TOOMAN: Objection, personal knowledge. 

THE COURT: Overruled. 

THE WITNESS: So maintain the local GAL is 
relatively easy 15, 30 minutes a week that you go in 
and check it . As soon as you take that address list 
and connect it to somebody else such as another brigade 
or division or a corp or something now you have an 
expediential growing scope . 

A lot of what we saw happen was 
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duplicating e-mail addresses because as long as 
everyone put them in sequence everything stayed the 
same and you only had one copy, but if two brigades, 
for instance, connected to each other and shared the 
same GAL, if this brigade and this brigade are 
sitting right next to each other and they are put a 
connector in without direction from division, the 
GAL gets replicated twice and now you have duplicate 
accounts and somebody has to go through and clean 
that up and trouble shoot it . 

For us 1st cav we spend anywhere from 
three to six hours a week working on GAL or address 
list type issues. 

Q And that ' s just at the division 

headquarters ? 

A Yes, sir. 

Q And you said local GAL, what about at the 

brigade headquarters? 

A So brigade would be the local GAL . 

Wherever the local server is . So when I say GAL I more 
mean the entire address list that ' s been shared between 
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more than one server . Technically it is correct to 
call a single address list on a single server a GAL, 
but the GAL normally infers that you have a much larger 
address book than just your addresses. 

Q How many exchange servers were there in 

Iraq in 2010? 

A In 2008 there was a large number. I'm not 

sure in 2010. 

Q Is an exchange server common at the brigade 

level? 

A Yes. 

Q And since when has it been common at the 

brigade level, what year? 

A At least 2004. 

Q 2004 or 2005? 

A When we started fielding the brigade, the 

BCCS, the battle command and control systems. Those 
were fielded to fill that gap for the requirement for 
commanders to have e-mail servers in the field because 
what they found was that commanders were deploying and 
they weren ' t able to e-mail because the network — 
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originally they would deploy with the concept of we ' 11 
use the AKO servers and try to use that . 

When we try to use Enterprise e-mail now we 
come into issues over the web. So instead of trying to 
force commanders to talk to their people that worked in 
their unit across AKOs, the commanders were having 
their S6s and G6s stand up e-mail servers. The Army 
saw that , saw the need for it so that ' s why they 
fielded the BCCS systems for the brigades . 

I believe that started occurring officially 
at about 2004 or 2005 but I know that as early as 2003 
all the brigades in the Baghdad area had e-mail 
servers . 

MAJOR FEIN: The United States offers Chief 
Rouillard as an expert in both GAL systems and their 
values and cyber threats to the Army networks . 

THE COURT: Yes. 

MR. TOOMAN: We would object to Chief 
Rouillard being qualified as an expert in valuation. 
If we have the opportunity to voir dire? I have no 
objection to Chief Rouillard being called as a expert 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



with respect to the GAL generally nor do we have an 
objection to him as an expert in cyber security. 

THE COURT: Let's assume you're finished 
with your foundation, are you going to allow the 
defense to voir dire on the value point briefly. 
MAJOR FEIN: Yes, ma'am. 

VOIR DIRE EXAMINATION 
BY MR. TOOMAN: 
Q Chief Rouillard? 

A How are you, sir? 

Q Chief, you spoke a little bit about a lot 

of the computer training you had on direct and you also 
spoke about, you know, a lot of the certifications you 
have . 

Have you received any intelligence training 
like MI training? 

A I have not . 

Q Have you received any training on how one 

would go about valuing something? 

A I'm not really sure I understand. 

Q Have you gone to any courses where you were 
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instructed on how you would go about assigning value to 
a thing? 

A As an officer? 

Q As an officer, as a civilian. 

A As an officer we evaluate the value of 

things pretty regularly I'm not really sure — no 
official training other than warrant officer training 
as an officer in the United States Army. They've 
taught me to assess the value of something and then we 
have yearly training on general evaluation of things 
and their value . 

Q What does that training involve actually 

before I ask you that, what sorts of things do you 
assess for value? 

A For instance, like risk assessment type 

stuff. We all Army officers, all Army personnel go 
through the risk assessment type methodology on how to 
assess risk assessment. 

Q So you look at assessing risk. Have you 

had any instruction on how to assess a monetary value 
on something? 
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A No, sir. 

Q Do you have any specialized knowledge in 

economics . 

A I do not? 

Q Understand. Economics. 

A I do not . 

Q Have you taken any courses in economics? 

A One on two basic college level courses but 

not — I think I took — it was a while ago . So not 
specifically no, sir. 

Q So maybe like introductory level Microsoft 

economics and Macro economics? 

A Yes . I'd have to go back and look at my 

transcript . 

Q Have you ever — of course we need to keep 

all of this unclassified and I wouldn't ask you to 
respond in any way that would elicit classify 
information . 

Have you ever bought e-mail addresses? 
A I have had not . 

Q Have you ever sold e-mail addresses? 
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A I have not . 

Q Have you ever attempted to buy an e-mail 
address? 

A I have not . 

Q Have you ever attempted to sell an e-mail 
address? 

A I have not . 

Q Have you ever before this case been asked 
to assess the value of e-mails? 

A No. 

Q Have you ever before this case been asked 
to determine the value of anything? 

A No. 

Q Monetary value? 

A No, sir. 

Q Have you done any sort of studies with 

respect to how various factors affect the value of 
something? 

A No, sir. 

Q So nothing on supply or demand? 

A No. 
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Q Or the nature of information? 

A No, sir. 

Q And how that might contribute to value? 

A No. 

Q In your Army experience have you ever 

assessed anything for value, looked at and said this is 
worth this amount . 

A Monetary value? 

Q Right . 

A No, sir, other than like with our field 

with servers as they get nearer to life cycle 
replacement or something of that nature, we do an 
estimates value of that server. We've had it for three 
years . It ' s more cost effective to replace the . That 
type of depreciation value, but nothing fine night and 
accurate . 

Q Okay. And you were asked to evaluate the 

value of the e-mails, the GAL e-mails, that are 
implicated in this case? 

A Yes. 

Q Without saying what determination you came 
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to, how did you come to that determination? 

A So open source intel e-mail address list 

are for sale on the Internet . So there ' s actually two 
vaults, monetary value and then the threat value. 

Q Okay . 

A The monetary value, because I don't have 

prior knowledge and I know not in the business of 
buying or selling e-mail addresses simple binge or a 
Google search turns up a number of e-mail addresses 
available for sale. You can go here to by e-mail 
addresses or there. So you could do a comparative cost 
to valuation based on that since it ' s all open source . 

Q Do you know if that is a common way to 

value e-mail addresses? 

A I don't know. I don't sell e-mail 

addresses . 

Q Do you know if that method of determining 

value has ever been reviewed, peer reviewed, subject to 
peer review? 

A I do not. If I had a list of e-mail 

addresses that I wanted to sell I would contact that 
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site and see how much they want to pay for them which 
they advertise on their site. 

Q When you visited those websites, I guess 

when did you visit those websites? 

A Being asked for this case . When I had 

discussions with you and when I was being consulted on 
the value of the GAL, because to me the value of the 
GAL is much more because I protect our networks the 
value of the GAL is much more important is what 
somebody can do were that data be than just selling it . 

Q I know you said that it was after this 

started, do you recall a year or my when you did those, 
conduct the those Google searches . 

A I believe the first one I did was — I'm 

trying to recall when I first came and saw you. Was 
that October /November, that time frame. I honestly 
don't remember. Whenever I first sat with you is the 
first time and then I've looked a couple of time since 
then, and then as recently as this morning. 

Q Would you say within the past year was when 

you ever looked it up? 
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A Yes . 

Q Did you contact any of those sites? 

A No, sir. 

Q Do you know if those sites have ever 

actually bought an e-mail address — 
A I don ' t know for a fact . 

Q Do you know if they've actually sold an 

e-mail address to a person? 

A I don't know for a fact, no, sir. 

MR . TOOMAN : One moment . Your Honor , we 
have no further voir dear questions but if I may just 
layout or objection. 

THE COURT: Go ahead. 

MR. TOOMAN: We would object based on to 
MRE702. I don't believe that the witness will testify 
based on sufficient facts nor do we believe Google 
searches other products of reliable principals and 
methods of valuation. 

Also I believe those Google searches 
would be hearsay. Anything that Chief Rouillard 
would testify about regarding those e-mail serves 
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would be hearsay so MRE073 we would suggest those 
would be exclude since they are unlikely to be 
relied upon by valuation experts who do this as 
their business . 

THE COURT: Thank you. Major Fein, can I 
ask why you didn ' t elicit some of these things before 
setting up your foundation? 

MAJOR FEIN: Absolutely, ma'am. The reason 
some of this was not simply because the United States 
was offering him as a cyber threat expert to talk about 
the second prong of what Chief Rouillard, defense 
didn't ask about, which is there's two different 
sources for him to evaluate the GAL . The defense 
didn ' t elicit the second source . They only elicited 
the first source which is open source . 

THE COURT: Am I assuming you want the 
second source and not the first source results? 

MAJOR FEIN: The second source, Your 
Honor based off of since it's mid 1990s and his 
experience in this field and what this information 
and how it's used. 
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THE COURT: Are you proposing to ask 
further questions in laying the foundation? 

MAJOR FEIN: Yes, ma'am. 

THE COURT : You said there ' s two 
different ways to evaluate value. What are those 
ways . 

MAJOR FEIN: May I ask the witness because 
he didn ' t actually answer the question . 

THE COURT: Go ahead. 

DIRECT EXAMINATION 
BY MAJOR FEIN: 
Q Chief, the two sources that you would 

evaluate the value of e-mail addresses? 

A There ' s the monetary value that if you sell 

it on the open market or you sell it to a commercial 
entity or a corporation looking to do the span mail 
type thing, that's normally not what the Army focuses 
on . 

Much more dangerous to us, has the Army or 
as the government, is the ability to use those e-mails 
to targets individuals in the military with those 
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e-mails . So using this specific — can I use this 
specific address list as an example, the 2nd Brigade 
10th Mountain? 

Q Yes, not using laptops. 

A That address list, for example, is a group 

of military members who work on Fort Drum who are on 
the deployment. So if I was an adversary of U.S. Army 
and I wanted to target a group of individuals and I had 
those e-mail addresses I could, for instance, pretend 
to be — I could craft what we call a spear fishing 
e-mail which is a targeted fishing e-mail . 

So you have fishing and then you have spear 
fishing. So the fishing e-mail is just a blanket send 
out a bunch of e-mails, I hope somebody clips a link or 
a responds back a spear fishing e-mail is much more 
targeted and has a higher probability of the user 
interaction or user response or user click. 

So if I craft, for instance, a 2nd brigade 
10th mountain using this GAL list and the e-mail says 
I'm from PAO on Fort Drum and I'm looking to award five 
trips to Disneyland and 20 one hundred dollar gift 
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certificates, fill out the enclosed PDF and send it 
back to me . 

Many soldiers that are inexperienced click 
that link, open the PDF, and fill out the PDF and send 
it in . 

Q Is that typically, are those spear fishing 

endeavors typically done for profit? 

A They can. And, again, the profit part 

isn't necessarily what Army network defenders focus on? 
THE COURT: Yes. 

MR. TOOMAN: We would object based on under 
602 personal knowledge of spear fishing. 

THE COURT: How do you know about all of 

this? 

THE WITNESS: Through my information 
protection technician training. 

THE COURT: Overruled. 

THE WITNESS: Actually, to further answer 
that we ' re trained specifically on using spear fishing 
campaigns. So part of the cyber op 4 mission as we go 
to attack or simulate the enemy at the CTCs we use 
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spear fishing campaigns against the brigades that are 
in the JRTC to try to get them to come to our website 
and click our links and install our mallware . 

So the enemy uses a similar tactical . 
So that pretending to be the PAO he could target a 
very — he cold send out this e-mail campaign 
against a very targeted group of individuals who 
we've seen even today still click the links even 
though whenever yearly training and the user 
agreement they signed every year and all of the 
other training we give them, users still click link, 
and that ' s why we use this is to highlight when you 
click these links this is what happens because 
ultimately until commanders see the affect on it ' s 
cyber stuff they don't want to mess with it. 

If they see the affect of my Gl or SI 
lieutenant click the link as part of the spear 
fishing, her box was promised compromised and now 
somebody stole the alert roster with names and 
social security numbers . 

BY MAJOR FEIN: 
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Q What experience other than the way you ' ve 

explained quickly for the Court, do you have with spear 
fishing? 

A So training. I was trained during the 255 

sierra course and then also one of our methods that we 
use now with our cyber op 4 . 

Q And again what is the ultimate goal of 

spear fishing? 

A To elicit a response out of who I send it 

to. So it could either be financial or it could be 
compromise of that system. 

Q What do you mean by compromise of the 

system? 

A If I can convince a user or if someone with 

malicious intent can convince a user to click a link 
and visit my website that I control, I can then install 
a program on their machine because the user clicked the 
link, it will grab the file installs on it their 
computer and then opens a connection back up to my 
machine . 

When it does that with my machine listening 
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I can then connect back to their machine with their 
user credentials because they clicked the link it give 
me access into their box as if I was them. 

Q And then you mentioned financial . What do 

you mean by that? 

A So I could be just trying to rip you off, 

so to speak, fill out this link and send me $25 to 
enter the raffle for the PAO five Disney vacation give 
aways or something like that of that nature . 

Q And in your experience in the last more 

than ten years of dealing with Microsoft ' s exchange 
e-mails and cyber threats, have you seen those types of 
spear fishing e-mails for financial gain? 

A Absolutely, on our systems, yes. I 

couldn't give you specific examples, but we have gone 
through and the mail systems that the Army, the 
exchange mail systems usually we sit those behind 
what's called a SMTP gateway. 

We ' 11 have a server in front that ' s 
filtering a lot of the spam stuff. It's just another 
configured mail server type of clients that gets the 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



109 

mail before it goes to the mail server. That will stop 
a lot of the generic, hi, I'm your uncle from 
Yugoslavia, send me $200 now for $500,000 later. 

That ' s why Army systems don ' t get that 
because we have very good spam filtering systems in 
place on the garrison network . 

Target or spear fishing is much harder 
because now you have a — first you have a much lower 
list that you send out, but second it's targeted so 
you're saying to a clear define list that's again 
military personnel, 2nd brigade 10th mountain from Fort 
Drum. So it bypasses a lot of security that's not 
normally set to filter that . It ' s not normally in the 
subscription process that the spam filter will stop 
that . 

Q And approximately how many years of 

experience do you have with these types of spear 
fishing e-mails that elicit money or ask for money? 

A Spear fishing has been around since e-mail 

I believe. So at least since 1995. 

Q How often since 1995 have you had this 
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firsthand knowledge experience with these types of 
e-mails? 

A In my personal mailbox or — 

Q In your official capacity — 

A As far as protecting against them, since 

first Iraq deployment with 1st cav, about 2003 or 2004, 
and I became responsible for the mail receivers at 1st 
cav. That's where we focused on protecting our users 
from spam mail; but, again, the more serious threat for 
Army guys was people clicking the link or downloading 
the mallware or someone who was not pleased with the 
United States trying to exploit our military systems . 

Q Mentioned spear fishers and those, could 

you — what are the other groups of people or 
individual groups that would use e-mails from the 
United States government? 

A So part of our 255 sierra training we kind 

of evaluate the different what I call buckets of 
threat, and you'll have everybody from — starts out at 
the lowest level, and we use this for our training 
model basically. So as we do our op 4 mission this 
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mirrors very closely. 

You'll have the low skilled guys or just 
generally displeased with the government, they might 
have a blog page or something and say we don ' t like the 
U.S. So if they had list they might try to low key 
general spanware to the whole list . You might have 
more elite hackers groups like anonymous potentially 
could use it and then all the way up to nation state 
actors that would wish us harm. 

Q What do you mean by nation state actors? 

A So any other country that ' s attempting to 

compromise military networks to — I'm trying to stay 
in bounds, but military — different countries that are 
trying to compromise military networks to steal our 
intellectual property. 

So as an example if I was in a country that 
didn't like the United States and I could get a 
contractor that worked on a government project to click 
on a link that would give my access to his box I could 
have complete access to that contract project that he 
was working on. So it's not just military, but also 
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everybody that supports us . 

Q What about corporations or other corporate 

actors trying to obtain lists? 

A The corporate actors would probably fall 

into more of the financial gain. My experience, I 
haven ' t seen Microsoft trying to take over Army 
systems, but if they were looking to sell X-boxes to 
soldiers coming back or Ranger Joe . 

If Ranger Joe common military website that 
sells military type gear. If you wanted a targeted 
audience, if he had this global address list of you 
know majorities Army guys then he has a much better 
chance of getting somebody to go to his website, so to 
speak . 

MAJOR FEIN: Your Honor, United States 
renews it ' s move to the Court to qualify Chief 
Rouillard as an expert in evaluating e-mails — really 
the global address list, Your Honor, not the e-mail. 

THE COURT: That's different than what you 
originally asked for, you said value? 

MAJOR FEIN: Yes, ma'am, the value of the 
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global address list . 

THE COURT: 128 (INAUDIBLE) is anything 
other than money? 

MAJOR FEIN: No, ma'am, it's the different 
markets on how the money and how that valuation is done 
through the buyers market, thief market, and United 
States would argue that Chief Rouillard is at least the 
defense argues that he has assumption on buyers market 
based off of known ways because he went on Google and 
looked, but differently in a thieves market as far as 
his experience with over more than ten years of getting 
e-mails saying click here how much they ' re paying and 
where the sources of those e-mails come from, that 
would be the authority, Your Honor, or at least 
(INAUDIBLE) 

So it ' s not — United States is not 
arguing that value is measured in dollar amounts . 
We agree with that . It ' s how it could be measured 
to determine that dollar amount and United States 
offers that Chief Rouillard' s opinion on that is 
expert opinion based on his qualifications and 
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experience could aid the Court in understanding its 
monetary value . 

THE COURT : Here ' s what I ' m going to do . 
You have the witness on the stand, I'm going let you go 
ahead an finish your questioning. I want the 
government to provide me with authorities for how value 
is measured. Defense you've already given me 
something, but you can supplement me with something 
you've given me in thieves market and I will decide 
based on those admissions whether I accept those or 
not . 

MR. TOOMAN: The defense would request 

first to — 

THE COURT: You can do it on cross 

examination . 

MR . TOOMAN : Okay . 
MR . TOOMAN : Okay . 

MAJOR FEIN: Ma'am, for purposes of a 
pending objection United States move into the opinion 
testimony because the United States intends to elicit 
factual testimony after that . 
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THE COURT : You ' re eliciting the opinion 
and your going to move on to something else? 

MAJOR FEIN: I'll notify the Court exactly 
when I ' m moving on . 

THE COURT: Okay. 

BY MAJOR FEIN: 
Q Chief Rouillard, based off of your 

experiences with spear fishing, how much does a foreign 
adversary, how much would they pay for blocks of 
e-mails you discussed earlier like 210 Mountain? 

MR. TOOMAN: We'll object based on hearsay 

and 7503. 

THE COURT : I ' ve already said I ' m going 
listen to the them and decide afterwards . You can put 
down in the brief that you'll be filing. 

THE WITNESS: Repeat the question. I'm 

sorry . 

BY MAJOR FEIN: 
Q Based on your experience with spear 

fishing, what is your opinion on how much a foreign 
adversary would pay for a blocks of e-mails like the 
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210 Mountain e-mail block you explained earlier? 

A So honestly monetary value is hard for me 

to assess. However, it's one of the top three to five 
documents that I would seek from an adversary. 

So a lot of — one of the first things we 
do in the — as your trained in the cyber attack 
methodology, one of the first things do you is gather 
Intel or open source Intel and as you do that you might 
visit their websites and gather the e-mail addresses 
that they have on their websites or information they 
have . 

So, for instance, if I was interested in 
Army cyber I would go to Armycyber . usinternetmail and I 
would look at who is the commander, what his bio reads, 
and that ' s why all of those public facing documents go 
through a very stringent examination by PO to make sure 
none of that information being released to the public 
is detrimental or dangerous . 

With a list of addresses that are specific 
to that unit especially with reference to this GAL 
list, in 2010 the other threat was the first part of 
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that e-mail address was their user account . 

So not only is it their e-mail account, but 
because we were not doing the smart card log in 
(INAUDIBLE) it was also their user login. And so all I 
have to have was their password to login as that user. 

For value it ' s when I train my cyber op 4 
guys I tell then this is one of the top things you 
want . Also one of the first things we look for because 
that ' s our normal attack methodology is you send out 
some type of spear fishing e-mail to get the user to 
click on that link to either visit or website or 
install or mallware . 

MAJOR FEIN: Your Honor, may I have a 

moment ? 

THE COURT: Yes. 

MAJOR FEIN: To make easier, the United 
States withdraws qualifying Chief Rouillard as an 
expert in the GAL evaluation. The United States will 
not ask any further opinions of Chief Rouillard on that 
topic? 

THE COURT: You want me to disregard what 
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we've just heard? 

MAJOR FEIN: Yes, ma'am. The United States 
is going to elicit similar testimony, just fact 
basis — frankly, Your Honor, the witness did not give 
the actual value. So, yes, the Court will disregard 
that . 

THE COURT: You want the Court to the 
disregard everything following Captain Tooman ' s 
questioning (INAUDIBLE)? 

MAJOR FEIN: Yes, ma'am. 

THE COURT: It's done. 

MAJOR FEIN: Your Honor, court reporter 
Prosecution Exhibit 147 Bravo and 148 Bravo. 
BY MAJOR FEIN: 
Q Chief Rouillard, I ' d like to go back to the 

GAL itself. 

A Yes . 

Q The creation and maintenance . Earlier you 

testified about — you testified about the number of 
soldiers in and hours that soldiers spend on the 
creation. What is a typical range of that soldier who 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



119 

creates entries into the GAL? 

A For us normally it was a specialist up to 

junior NCO at the help desk. 

Q And that was at the division? 

A That was at the division, brigade very 

similar. They just had less people, and for the 
creation of important accounts like I didn't want my 
general's account screwed up so would I see it, but in 
general the help desk managed it just fine . 

MAJOR FEIN: Your Honor, permission to 
publish Prosecution Exhibit 147 Bravo? 
THE COURT: Okay. 
BY MAJOR FEIN: 

Q Chief Rouillard, do you recognize this? 

A Yes, sir. 

Q What is it? 

A This is the portion of the GAL that was on 

the disk that I looked at earlier. This is the user 
name — these are the standard type text we would have 
on the end of the GAL. So as you were searching 
through if you didn ' t necessarily know the name you 
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would have other information . 

So, for instance, from the first line you 
can tell that John worked, he was a master sergeant and 
he worked at MFI . 

Q Okay . 

MAJOR FEIN: Your Honor, permission to 
publish 148 Bravo? 

THE COURT: Go ahead. 
BY MAJOR FEIN: 
Q Chief Rouillard, do you recognize this 

document ? 

A Yes, sir. 

Q What is this? 

A This is another portion of that GAL 

extract . This is actually — it appears to be have 
been extracted from the exchange server itself because 
of the first part where it says first administrative 
group recipients . That ' s similar to active directory 
because active directory and exchange kind of installed 
together . 

The primary important part here is the last 
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part of that. For instance, John . Iraqcentcommill . So 
John.black@iraqcentcommil would have been his e-mail 
address . 

Q When forces rotated out of Iraq, what 

happened at this point to their GAL entry? 

A Probably 30 days prior would he would start 

coordination — the short answer is that their 
addresses would come out of the GAL relatively quickly 
because we didn't want expired e-mail addresses out 
there or duplicates . So as these guys were rotating 
out within a couple of weeks the higher ups — so if it 
was a division or MF or USFI would delete their portion 
out of their exchange server so it wasn ' t replicated 
around . 

Q And from a cyber threat perspective what 

potential threats are there with this information being 
released? 

A So just this information, if this is active 

right now I can tell user names, then I just need the 
password. I can also tell what server they're on. So 
that there is the server that they're on. So Iraq 
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CENTCOM mill because it ' s connected to the unclassified 
network on the NIPRnet, I can get to that server from 
anywhere . I can get to that from anywhere in the world 
because that's how we designed them. 

I can target let me dot black on that 
server, but this also tells me the different servers 
that they 're on . So you can look down towards the 
bottom where that you have NMDB . That ' s a user off of 
a different server, and you can then use like a basic 
script and break all of these portions up into 
different groups of people. So now I know which server 
they exist on. 

Q If someone has rotated out of theater after 

this left possession of the government and how else 
could it be used to further foreign adversaries and 
spear fishers endeavors? 

A Because our standard operating procedure 

for all of our signal guys we teach to use your AKO 
e-mail address . The first portion pulls an address 
deconf liction (INAUDIBLE) I could take tracy. black or 
zachary .black and just do at usarmy.mil and that's 
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their AKO e-mail address or their mail. mill address and 
I can still use a similar spear fishing campaign to 
target you . 

So if I knew you were in 10th Mountain or 
NMDB at the time we ' re looking for all personal that 
were assigned to MNDB between 2009 and 2011, please, 
reply by filling out there for your unit's, your 
meritorious unit accommodation, fill out this the basic 
information and so that would be another example of a 
spear fishing technique because it ' s relatively easy to 
craft, falsify the source, say it's coming from Army 
PAO or something. That's a relatively easy technique. 

I connect to a mail server . I can stand up 
a mail server, create whoever I want to send this out 
with small PDF or a mutual website please connect to 
this website, put your information to ensure you get 
this certificate of participation in the Iraqi 
campaign . 

Q So can you explain though this is showing 

you used the example, and, for the record, Chief 
Rouillard under lightened the second line from the top 
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underlined CENTCOM.mil in the third line from the top. 

Could you please explain using the same one 
how one uses dot blackbox and Iraqicentcom.mil to do 
that after someone has rotated out of theater? 

MR. TOOMAN: Okay, based on relevance. 
This line of questioning will be in more on line with 7 
(INAUDIBLE) defense would not (INAUDIBLE) what's not 
relevance for this . 

MAJOR FEIN: Your Honor, the United States 
is offering this as relevance is to value as a fact 
witness . This goes directly to what could potentially 
happen and the United States intends to call Mr. Louis 
who is going to talk about foreign adversaries and what 
they do with our contact information and e-mails . 

MR. TOOMAN: We would object based on 701. 
If we're talking about value, this type of value would 
require specialized knowledge under 701 is not an 
expert and this — 

THE COURT: Overruled. Go ahead. 

BY MAJOR FEIN: 
Q So to re-ask the question. You testified 
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that lena . blackbox, last name at iraqcentcom.mil, 
that's the e-mail that's listed in this GAL. How does 
that e-mail, how can that e-mail then used by foreign 
adversaries or spear fishers because that ' s the Iraq 
e-mail when they rotate out that e-mail no longer 
exists? 

A But the first half of that e-mail we've 

discussed is the same for your U.S. Army e-mail 
address . So I could even do it in a script . I could 
take this entire — 

Q What do you mean by script? 

A A simple text file . So scripting language 

is a way to automate tasks, and like, for instance, a 
python is one of the languages you can use to script . 
I can take an input file, I can extract certain fields. 
So I could say extract everything after slash CM 
equals. It extracts that address, strip off the Iraq 
CENTCOM mil and paste in at U.S. Army mill and you can 
actually automate this, but you can just as easily go 
in and hand craft it and change any of these e-mails 
addressed to at usarmy.mil and have a high likelihood 
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of having their e-mail address if they're active now, 
if they're in the active duty now. 

Q And why would foreign adversaries want the 

GAL? 

A To target military personnel to get them to 

click the links . 

Q And you mentioned earlier social 

engineering. How would social engineering (INAUDIBLE)? 

A So first I find an audience that I want to 

target an adversary, and for this instance I'm using 
Army. These are all Army people or Army affiliated 
personnel . 

So I send an e-mail with a web link or a 
PDF or something similar to that e-mail address . 
THE COURT: Yes. 

MR. TOOMAN: Your Honor, I think it goes 
beyond the scope of laying a factual foundation. I 
would object to 701. 

THE COURT: Overruled. 

Go ahead . 

THE WITNESS: So the user would then 
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receive the e-mail in their box. It could appear to 
come from anybody you'd want it to come from. They see 
this e-mail comes in. It could be, for instance, we're 
evaluating — I saw on the early times we ' re evaluating 
to go to a new single will ACU pattern. So it would be 
this at this the site for selection of five ACU 
patterns and we ' re just doing a public survey to see 
which one you would like, and it would come from a PAO 
or a civilian company . 

So many soldiers would then click that 
link taking them to a website which might actually 
have five different patterns of ACU to select and 
then they click on one, it says thank you, insert 
name here, give some type of actual account back, 
but it ' s also collecting information on the machine 
that they 're on . It would attempt to download 
malicious codes into their box. It could a number 
of things because I've tricked you to go into a site 
which you would not normally visit which is why we 
invest so much in the yearly mandatory training for 
this type of attack. 
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Q Are you familiar with the program WGet? 

A Yes. 

Q How is WGet used when it comes to social 

engineering attacks? 

MR. TOOMAN: Relevance. This man is not 
charged with using WGet for social media attacks . 

THE COURT: What's the relevance? 

MAJOR FEIN: Your Honor, the relevance i 
Chief Rouillard has specialized knowledge about WGet . 
This is laying the foundation to ask subsequent 
questions to how he knows WGet and is to questions 
about WGet . 

THE COURT: What does the malicious 
spyware have to do with any of this? 

MAJOR FEIN: I'm sorry? 

THE COURT: What was your last question? 

MAJOR FEIN: Ma'am, I can rephrase the 
question, if that's the issue? 

THE COURT: Just move beyond that. If he 
going talk about programs itself that is relevant . 

MR . TOOMAN : We ' ve heard a lot about WGet 
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THE COURT: Overruled. 
BY MAJOR FEIN: 
Q Chief, on a break, first, I'm going remove 

from and return — remove from the projector and return 
give to the court reporter 148 Bravo and Prosecution 
Exhibit 147 Bravo. 

Are you familiar with WGet? 
A Yes. 
Q What is WGet? 

A WGet is an application or a program. WGet 

is a program that will download a static copy of web 
content such as a website or a SharePoint site and will 
download how much of it you tell to download. 

If I say execute WGet against PAO. 
(INAUDIBLE) it will download the static copy of the 
entire public facing website to my computer. 

Q And can you please explain for the Court, 

again, very briefly, how have you used WGet in a 
Windows environment or just WGet in general in your job 
as a cyber threat analyst? 

A So for us we use WGet — so there ' s two 
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versions . There ' s a Windows version and a Lennox 
version . The Windows version is not installed by 
default. You have to put it on there, but once — 
other than that, the functionality is the same, but 
because our guys are comfortable with Microsoft Window 
we tend to install and use that ; but when you run WGet 
and download the page that let ' s you grab the entire 
page, one of the reasons we use it is when we're doing 
the open source Intel gathering on a site, I can 
download the web page and I can take that web page and 
feed it into a script again that will break the web 
page up into a bunch of words or a dictionary file . 

I then use that is dictionary file against 
user names that I have in an attempt to use those words 
as passwords . So something that was pertinent to that 
unit, for instance, if their motto was Black Jack then 
the commander might have his password as black jack6! 

So my program will take words that are 
relevant to them, do what we call a little of maining 
changes Es to 3s and such and then run that dictionary 
file against user accounts in and attempt to guess a 
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password. 

Q And this is in your op 4 capacity? 

A Yes, this is all as a attack methodology. 

Q And with that do you have authorization to 

use WGet on your computer or do you have to install it? 

A We do . You have to be — it ' s not part of 

the normal Army load. So it's not an authorized tool 
that the Army users encounter. It's only for, as far 
as the Army is concerned, the only people that I'm 
aware of that use it are pen testers and op 4 . 

Q And when WGet runs in the Window 

environment on the screen, what does it look like? 

A S it ' s a command driven tool . So it ' s a 

command line tool . It ' s not a normal Window thing that 
we're used to. It's a black box on the screen, which 
is you're command window. It will look like a bunch of 
typed commands . 

So if you squinted down or read through the 
commands you would see that it would say WGet something 
but otherwise it just looks like a command prompt 
screen with text . 
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Q When you said squint down? 

A By default when you open up a command 

prompt the text is relatively small. So five, six feet 
away I can ' t read it . Like I couldn ' t read the one on 
his computer if I was standing here. 

Q When WGet is running, does it have across 

the top of it in big letters WGet? 

A No, sir. It has a — it has the page it's 

downloading and then some status messages, but there's 
not a big announcement that WGet is running. 

Q And can WGet be run in the background? 

A It can . 

Q What does that mean? 

A Windows gave us the capability to the run 

multiple things at once . So on the top of all windows 
there's a little icon that looks like a bar. If you 
click that it's called minimizing it and moves it down. 
You can just as easily drag the Internet Explorer. 
That ' s why you can browse your mail and check the web 
at the same time . 

Q Are you familiar with mIRC Chat? 
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A Yes . 

Q How are you familiar with mIRC Chat? 

A So — 

Q In your official capacity? 

A In my official capacity we use mIRC Chat in 

2003/2004 and in 2007/2008, on both deployments we used 
mIRC Chat with my AFA or the artillery guys to 
coordinate with other units for their artillery field 
of fire . 

Q When you say we, who is we? 

A The 1st cav, sorry. 

Q The division headquarters? 

A Yes, sir. So they coordinated with the Air 

Force because it was tool the Air Force was using and 
that ' s what they chose because it ' s a — it ' s also a 
tool that is used just for text chatting, but with Army 
systems in theater, the only simple I saw was AFA test. 

Q And what did it — when mIRC Chat runs, 

what does the screen look like? 

A The application has a distinct look . It 

will say mIRC Chat . It will have users and channels on 
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one side . It will have a text field in the middle with 
the chats scrolling up and down and you can kind of 
tell chats going on. 

Q And you mentioned if you were sitting there 

looking at the court reporter ' s computer you couldn ' t 
see WGet . Could you see mIRC Chat running? 

A Right, I could see mIRC Chat running. I 

would probably have to look a little closer to see if 
it was mIRC Chat because it ' s a Window application and 
it has a — if you had seen mIRC Chat before you would 
know what it looked like. If you had never seen it you 
would know just from a glance it was mIRC Chat, but if 
you have seen mIRC Chat before you would know that was 
mIRC Chat? 

MAJOR FEIN: Ma'am, may I have a moment? 
THE COURT: Yes. 

MAJOR FEIN: Your Honor, the United States 
has no further questions . 

THE COURT: Just for the record, this 
witness was accepted as an expert in the GAL and cyber 
security. So the Court allowed the testimony that was 
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objected to on the fact basis. 

Cross examination? 

CAPTAIN TOOMAN: Defense requests a 
ten— minute comfort break . 

(Hearing recessed at 5:00 p.m.) 

(Hearing resumed at 5:10 p.m.) 

(Testimony started before we had sound.) 
CROSS EXAMINATION 

THE WITNESS: Unplug the machine from the 
network and log in locally with a local user account 
and still access many of the same files and everything 
else . 

BY MR. TOOMAN: 
Q So I may able to do that , but I couldn ' t 

print? 

A You could, without being part of it, if 

you're still plugged into the network. 

Q Right , I'm plugged into the network . 

A I'm plugged into the network, but I log in 

locally. So I'm not part of the domain, just looking 
in a local user account . I could still print . I could 
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still visit websites . I could still run programs on my 
machine . I may not be able to do domain specific 
services such as access restricted areas of SharePoint 
or access e-mail if I'm on a machine that's not part of 
the domain or if I'm logged in locally and I try to 
open up my e-mail I ' m going to get a prompt for what we 
call domain credentials . It ' s then going to ask for a 
domain user, domain password which if I don't have I'm 
not going to get into the e-mail . 

Q You ' d need active directory to get anything 

into that domain that would be shared drives? 

A Potentially depending on how the share 

drive is configured. So if the share drive was 
configured with a password, then all you need is a 
password to connect . 

Q That typically — 

A Sometimes . It really depends on how the 

individual user if you ' re at home on our home machine 
you open up file explorer, right click share your 
movies drive, for instance, now the rest of your family 
can get your movies drive without having active 
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directory running in your house . 

Q That ' s not how the Army — 

A That ' s not — 

Q We (INAUDIBLE) use share folder? 

A That is not our standard normal implication 

because it still occurs on Army networks . 

Q The shared drives that we ' re used to as 

users are connected to the active directory. 

A Again, it depends on the system. A lot of 

the PM systems aren ' t integrated into active directory 
until 2007 I believe C pop, which is a primary tool 
command post of the future . There ' s a Wikipedia 
explanation, a real brief one, of what it is. It's 
basically a command and control tool . 

Until recently that wasn't using active 
directory logs . So it really depends on the system 
you ' re talking about , but for the average work station 
for the user, the average work station would be part of 
the domain unless there was a reason that our security 
controls would break it . 

So a good example of that would be the SI 
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system. I don't recall the name of it, but their 
system if we implemented specific security controls on 
there, their system would no longer functioning people 
couldn ' t get orders and that type of thing . So we ' ve 
excluding those from the security push from the domain . 

Q And share drive is another example that it 

takes something that ' s — 

A You can have either or . It really depends 

on who set up the share and how that set it up. So 
what we would say about using active directory accounts 
to control access to that shared drive, but it doesn't 
have to be . 

Q Do you have any knowledge of how the active 

directory was set up in 2009 and 2010 in Iraq? 

A Other than how we train all the soldiers 

who do it, no. I know from the training perspective we 
train all of the people who configure the systems, we 
train them all at Fort Gordon and that ' s who I was 
teaching from 2008 through 2011. 

Q You don ' t have any direct knowledge of how 

much time or how many resources were used to input 
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users into the GAL in 2009 and 2010, the Iraq GAL? 
A So I can — 

Q I think you talked about your time at 1st 

cav, but you don't have any knowledge of what was going 
on with respect to how much time it was taking to do 
those tasks in 2009 and 2010? 

A So it ' s the same task whether it ' s me or 

somebody in 2nd brigade 10th Mountain or somebody at 
the NOSK. If there creating user accounts there's 
certain steps you have to do. That process is about 10 
to 15 minutes. 

Q It would take you less time than it would 

take me? 

A Sure, but after you did it ten times you 

would do it as fast as anyone else . Think of it as 
changing a tire. If I was going to change a tire on my 
car, the first time I sat down to change the tire it 
would take me a while. After we changed 25 tires we'd 
both be about the same speed. 

Q You mentioned on direct that there ' s 

automated tools that could be used to do that? 
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A There are . You can strip the creation of 

user accounts and e-mail boxes into active directory. 
My 's personal experience is, most of us admins are 
basically too lazy to do it and we would rather click 
to or three hundred times to use up the time to do 
that, because the automated tools a lot of times it 
will take us six, eight, ten hours to work through the 
script on how to properly input all of that data. So 
rather than taking six to eight hours to learn to write 
the script, we take the 15 minutes per account split it 
out between three or four guys and they just click 
through it . 

Q It ' s possible that there might be someone 

who's good at writing scripts and they can just do in 
it a few minutes and take a lot less time? 

A Possibly, but improbable. 

Q When you say writing the script, what sort 

of program would be used to write this script? 

A With exchange, exchange runs on Microsoft, 

and so power shell is the primary tool that we use now 
and it ' s very — it ' s somewhat complex language . It ' s 
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easy to begin with and then it just get more 
complicated as you go on, but primary you would use 
power shell as the scripting language because it would 
be what was on the server, on the exchange server. 

Q So there's no, per se, prohibition against 

using scripts and automating processes on a system? 

A There ' s no prohibition against using power 

shell or script on a system, but other scripting 
languages such as python or ruby or one of those other 
type of scripts that are used a lot wired. Those have 
to be installed and, again, you have to have prior 
authorization from your G6 install those, and a reason 
why you need those. 

Q Right . 

Now, you talked about — you were talking 
specifically about the GAL in this case. You talked 
about some of the threats with respect to having an 
individual's name, and if you have the name then you 
only have say figure out the password? 

A Right . 

Q That ' s one of two pieces that you need? 
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A Half the puzzle. 

Q Are there protections to prevent a 

nondomain computer from logging on to an Army domain? 
A So the user — 

Q If I — 

A I may not be understanding your question. 

The user account identified in the GAL doesn ' t have 
anything to do with a computer. If I wanted to exploit 
that, for instance, there may be potential blocks — if 
it's a public facing server, then I can use that 
account to log in. If the server is able to be 
(INAUDIBLE) so a lot of the standard deployments was 
the SharePoint server was accessible from the garrison 
because 1st car as an example we have personnel on Fort 
Hood and at Iraq that were accessing the SharePoint 
server. So we would create at account, allow them 
access from the outside. 

Due to the escalation of the threat in the 
cyber domain we have since prevented a lot of that type 
of activity, but three, two three years ago those 
firewalls and the access list and stuff that would 
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block that access normally were not in place. 

Q Well, what one would have would to get 

access to the network before they could try to figure 
out the password, correct? 

A Correct, however, again, that user account 

that's identified in the GAL was also your U.S. Army 
mil account . So I could use that to attempt to look in 
as you against the dub dub dub .usarmy.mil. So until 
we went to using the user information not just to 
access the tactical environment, but also your dub dub 
dub. 

Q You talked about sort of that I guess is 

trying to hack into e-mails . The Army e-mail format is 
pretty well known, isn't it? 

A I don't know. It's fully known to us in 

the military. I mean, I see it all the time, but I 
guess the best example is with common names . 

So somebody could probably guess mine 
because I'm a somewhat unique name, but for Jeffrey 
Smith or Susan Johnson there might be a large number of 
those . So what is their sequence . The bigger threat 
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is that those accounts with that GAL identified what 
specific server they were on. So not just the U.S. 
Army mil account, but if they could access any of the 
Iraq servers because they were part of the NIPRnet 
domain on the unclassified network, if you could reach 
that server you could attempt to exploit using those 
against that actual server. 

Q Were there protections in place to prevent 

someone from accessing those servers in Iraq? 

A So, again, in 2007 and 2008, no. Now most 

likely they are, yes. 

Q What that the deal in 2009 and 3020. 

A No. 

Q You would agree with me that it ' s pretty 

easy to find the Army e-mail address format? You would 
agree with that? 

A Sure . 

Q And as far as names, one could really just 

put John . smith and then John . smithl , John . smith . 2 and 
all the way up? 

A Right . So the real danger of the amount of 
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information, we call this classification by, I forget 
the other term. When I take a bunch of similar 
information we do the same thing with our network 
configurations . 

When I take a bunch of dispirit network 
classifications which are unclassified and I combine 
them into all one location, then that document actually 
becomes a classified document because of the amount of 
danger and the potential amount of exploitation that 
could happen from that . 

Q The GAL wasn't classified, was it? 

A No, but the threat is more than that single 

e-mail address because although I might know your 
e-mail and my e-mail here I now have a list of 150,000 
e-mails. So I may not able to get two, five, ten 
people to click, but if I send out 150,000 e-mails I 
have a much higher chance . 

Q You talked about there being a threat that 

someone might try and send an e-mail from a commander? 

A Yes. 

Q Commander names are on the web? 
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A They are. 

Q That's common knowledge? 

A Yes. 

Q You also mentioned that someone might take 

the unit ' s motto and try to a variation of that as a 
password? 

A Yes. 

Q Those unit mottos are also on the web? 

A Sure. However, again, when I was talking 

about WGet scraping the page I used that as an example, 
but there ' s a lot more information that they my talk 
about . Commander likes to snowboard or the commander 
was stationed here or there. So a lot of those 
words — and this is the technique that we use even 
today . 

Scraping that entire page gives me that 
file with all words that — rather than running a 
standard dictionary attack which is, you know, just 
normal words in the dictionary, I can have a much more 
targeted list against that individual user who is tied 
to that whatever it is . 
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MR. TOOMAN: One moment, please, Your 

Honor . 

THE COURT: Yes. 
BY MR. TOOMAN: 

Q Now, in the response you just gave you're 

assuming that WGet was used to pull the e-mail 
addresses in this instance in this case? 

A No. So WGet scrapes websites. I'm unsure 

as to the tool that extracted the GAL . I don ' t think 
it was WGet . There are other tools that would extract 
that type of data if you have a connection. It's 
called an L data query. So light weight directory. 

Q You talked about WGet going and getting a 

web page . It ' s going to get something that ' s in the 
open source, right? 

A It will get whatever you have access to. 

Q So the 1st cav website says the commander 

likes fishing, that's something that's on the 1st cav 
website? 

A Correct . 

Q But WGet is not grabbing something that ' s 
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not there? 

A Correct, but if I'm in a tactical 

environment and let's put nefarious hats on, for 
instance. If I use WGet to scrape the SharePoint I'm 
going to download the entire SharePoint size with all 
of the files that make that up SharePoint site that I 
have access to. 

Q Now, you're familiar with archive.org, 

what's known as the way back machine? 

A Yes. 

Q And WGet is the type of program that is 

used to populate that website . It goes out and it 
grabs whole web pages? 
A Okay . 

THE COURT: Do you know that or not? 

THE WITNESS: I do not know that for a 
fact . I would accept that answer . 

THE COURT: Do you know it or not? 

THE WITNESS: I do not, no, ma'am. 

THE COURT: Move on, please. 

BY MR. TOOMAN: 
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Q Now, Chief, if a soldier wanted to download 

all of the e-mails from his brigade, he could do that? 
A What do you mean by all? 

Q If he wanted to get all of the e-mails — 

A All of the e-mail addresses? 

Q All of the e-mail address from his brigade, 

you could do that? 

A He could, yes, sir. 

Q There ' s never been any sort of directive or 

direction that went out and said you can ' t download 
e-mail addresses off the GAL? 

A There has not . 

MR. TOOMAN: No further questions. Thank 

you . 

THE COURT: Redirect? 

REDIRECT EXAMINATION 
BY MAJOR FEIN: 
Q Chief, you testified a few moments ago 

about common Army e-mail formats? 
A Yes. 

Q Are the user name the portion that comes 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



150 

before the at symbol, is that information in bulk 
available to the public? 

A It is not, no, sir. 

Q And then also as far as your best knowledge 

about the authority soldiers of downloading the global 
address list book, is it your experience or your 
knowledge of regulations that allows someone to do that 
and then transmit it to their personal computer and use 
it for personal gain? 

A No, sir. So part of the configuration for 

the Outlook client that the Army uses is we call it 
off— line. The off— line address book and the off— line 
files . 

If you become disconnected from the network 
there ' s a cache copy on your machine that allows you to 
continue working . I haven ' t had anybody download the 
GAL to their personal machine or to a government 
machine, and moving it to a personal machine would be 
against the rules. We don't allow moving government 
type files, and that would fall under a government file 
to your personal machine . 
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MAJOR FEIN: Thank you. No further 
questions, Your Honor. 

RECROSS EXAMINATION 
BY MR. TOOMAN: 
Q Chief, if I logged ON my personal computer 

and wanted to download a list of e-mails of all of the 
other judge advocates of the Army, would that be 
against the rules? 

A No, sir. 

MR. TOOMAN: Thank you. 

THE COURT: Anybody on redirect? 

MAJOR FEIN: Your Honor, may I have a 



moment ? 



question . 
A 
Q 



THE COURT: Yes. 

REDIRECT EXAMINATION 
BY MAJOR FEIN: 

Chief, in reference to the very last 
Yes . 

Again, based off of your personal 



knowledge, is a soldier authorized to use their NIPR 
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machine to download the entire GAL and move it to their 
personal computer for the purposes of giving it to a 
corporation, a company? 
A No, sir. 

Q (INAUDIBLE) of the U.S. government. 

A It goes to intent . What do you intend to 

do. If you are downloading the GAL to use on your 
personal machine because you ' re machine is going in for 
repair, it may be okay to have selected individual 
addresses. There's not a reason to have the entire GAL 
on your personal machine that I'm aware of. 

Q Why? 

A The potential for abuse . I don ' t know that 

your machine is baselined or is kept in the appropriate 
patches. If your machine is compromised and you've 
moved the entire GAL from any theater down to brigade 
to your personal machine and your personal machine is 
compromised because your kid plays wacomo on a site, 
now the enemy has that address list and can exploit — 
again back into the whole spear fishing and targeting 
of it . 
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That ' s why we don ' t allow people to do 
that. That's also why on the AKO site all Army users 
are allowed to install Norton antivirus and all of that 
on your machine . We want personnel machines to be 
protected at home. They'll issue you a CAD card so you 
can check your mail, but it goes to intent, and that's 
one of the big things in the cyber domains is if you 
have physical access, it's really hard to stop a 
maliciously intended person because they can do things 
regardless of technical prevention . 

Q And in 2008 when you last left Iraq, was a 

user — did the user have the capability of their 
personal computer to log on to the USFI domain and 
download e-mails — 

A Negative . 

Q — for their own personal use? 

A Anything connected to your machine into the 

government network that was treated as a spillage 
basically for us at 1st cav. It was the same as if you 
took your NIPRnet and plugged it into the SIPRnet . You 
would get a visit from the G6 why are you plugging your 
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personal box in here, report everything — 

Q What about at that time through a web mail 

interface that connects to the exchange in Iraq, did 

that exist? 

A It did not exist, to my knowledge. 

MAJOR FEIN: Thank you. 

THE COURT: Let me just (INAUDIBLE) did 
not exist in 2008 or did not exist in 2009 or 2010? 

THE WITNESS: I cannot speak definitively 
that it did not exist in 2009 and 2010. That was not 
part of our normal configuration to allow web mail 
access because of the attack vector, and if you did 
access your mail through the web mail than the address 
book is build into the web mail and you wouldn't need 
it in your personal box because it is part of the web 
mail client . 

THE COURT: I asked a follow-up question. 
Do you have any follow— up questions based on what I 
have . 

BY MAJOR FEIN: 
Q As recent as today and after 2010 there is 
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a web mail interface for the Iraq domain? 

A Not to my knowledge . 

MAJOR FEIN: Thank you. 

RECROSS EXAMINATION 
BY MR. TOOMAN: 

Q Chief, what rule says a user can't download 

e-mail addresses? 

A Again, there's not a rule to prevent you 

from downloading the e-mail addresses, but you would 
have to address the intent. Again, we don't write the 
rules for everything . There ' s not a rule saying you 
download every document on the SharePoint server, but 
if you did that you would get a visit — normally you 
would get a visit due to the amount of data that you ' re 
collecting. The question would be why do you need that 
amount of data. 

So the same principal applies to the global 
address list, why are you — the command if that was 
scrutinized and they would say, why are you downloading 
175,000 e-mail addresses for your personal thing where 
anytime would you use those addresses you would be 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/17/13 Afternoon Session 



156 

connected to the military system that would have the 
address book there for you and you wouldn't need it on 
your personal machine . 

Q Chief, if your intend was I just wanted to 

see if I could do it, that would be okay, wouldn't it? 

A It wouldn't necessarily be okay, no, sir. 

We don ' t allow people to just is do things because they 
want . Again do I download the entire SharePoint 
server, and I use that because it's another big part of 
our Enterprise services . So if I allow — if I go back 
to the secured facility to download the entire 
SharePoint that ' s on the SIPRnet I will get a visit 
from my S2 guys and say, why are you downloading all of 
this data, what are you planning on doing with it 
because the logical assumption is you're going to do 
something with all of that data . So same principal 
applies to the GAL. 

Now, there ' s not a specific monitoring 
tool — there ' s not a technical implementation to watch 
who ' s downloading the entire global address list 
because it ' s a feature that most people don ' t download 
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and it ' s not a serious system inconvenience when you 
download the whole GAL, because it's only a few megs, 
but if you were to download the entire SharePoint . 

Q There ' s not a big suck on resources to 

download the GAL? 

A There ' s not a huge impact on resources to 

do the physical downloading of the GAL . 

Q There's no rule that says if you're intent 

is just I wanted to see if I could do it, there's not a 
rule that says you can't? 

A There ' s not a rule written that says you 

cannot . 

Q Then if you deleted it after you figured 

out how to do it that it would suggest that the intent 
was — 

MAJOR FEIN: Objection, Your Honor. Your 
Honor, as speculative. 

THE COURT : Let ' s hear the question . 

BY MR. TOOMAN: 
Q If the file was deleted after it was 

download and it was done, what would that say to you 
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about the intent? 

THE COURT : Don ' t answer that . 

MR. TOOMAN: Nothing further. 

THE COURT: Redirect? 

MAJOR FEIN: No, Your Honor. 

MR. COOMBS: Just on that last question. 
I understand that was going towards the cyber threat 
expert . So he talked about intent . He talked about 
whether it would be wrong or right depending upon 
the intent . So as a cyber expert threat expert if 
what he saw the person downloading it and deleting 
it. 

THE COURT: That would give him absolutely 
no idea what the person ' s intent was . 

MR. COOMBS: From a cyber threat standpoint 
he's testifying that something might be wrong, he did a 
certain act and he ' s saying well downloading the log 
GAL is not a problem, but if you have all of this 
information we would want to know why you have that, 
and then that might cause G6 or someone to come to you 
and ask you a question like why are you doing this . 
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So in this instance at issue here is 
(INAUDIBLE) so the facts that information was 
deleted immediately what would that tell him as a 
cyber expert . That ' s what where that question was 
going towards . 

THE COURT: So overruled. I do have a 
question for you. I'm still confused. I thought you 
answered to the government a little bit earlier that if 
a soldier wanted to download the e-mails all of his 
e-mail addresses from the brigade or defense the 
soldier could do it, there's no directive saying he 
can ' t . 

THE WITNESS: Correct, ma'am, there is not 
a rule. There is not a specific rule that says you're 
not allowed to download the entire address. 

THE COURT : You ' re talking about 
downloading on NIPRnet or a personal machine or is 
there any difference? 

THE WITNESS: When you transfer military 
data to personal machines there are regulations, and 
I'm sorry I can't quote them for you, but there are 
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regulations that do not allow us to move military data 
to personal mechanicals. I can't just take — download 
the SharePoint site is a good example because but it 
has a bunch of unclassified data. So it seat might 
have alert rosters and powerpoint slides and briefings 
and such. It might have a briefing from the NSA. I 
downloaded all of this data to a government machine . 
When I move it off of that that government machine to 
my personal machine the question comes up, why are you 
doing that . 

So there are rules that prevent us from 
moving data from a government machine . That ' s why 
can you can ' t use thumb drives any more . You can ' t 
burn CDs on classified machines . 

THE COURT: Do you know what happens 

(INAUDIBLE) . 

THE WITNESS: I do not. AR25-2 somewhere 
the (INAUDIBLE) Act, but there are also local policies 
that would be implemented that would prevent that . I 
can research that if need — 

THE COURT: Any follow-up based on mine? 
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MAJOR FEIN: No, ma'am. 

MR. TOOMAN: No, ma'am. 

THE COURT: All right. 

MR. TOOMAN: No objection. 

THE COURT: Please do not discuss your 
testimony or your knowledge of the case with anybody 
other than counsel while the trial is still on. 

THE WITNESS: Yes, ma'am. 

THE COURT: Just for the record, as part of 
the my overruling of the defense objection I'm not 
going to consider any of this witnesses testified he 
said there ' s is rules and regarding the transfer of 
data from the NIPRnet computer to a personal computer 
noted where they are and he doesn ' t know what they are 
that's my understanding of his testimony. 

MAJOR FEIN: Yes, ma'am. 

MR. TOOMAN: Sounds right, Your Honor. 

THE COURT: Anything else we need to 
address today. 

MAJOR FEIN: No, ma'am. 

MR. COOMBS: No, Your Honor. 
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THE COURT: Do we still need to talk about 
tomorrow. Do you want to take a brief recess and come 
back on the record and decide in ten minutes . 

THE COURT: The Court is in recess at ten 
minutes of 6:00, depending on how long this recess takes. 
(Hearing recessed at 5:50 p.m.) 
(Hearing resumed at 6:00 p.m.) 

THE COURT: Counsel and I met in an 202 
conference to talk about the way ahead. First of all, 
we will be coming back on the record at 0930 for oral 
argument on the admissibility of certain prosecution 
exhibits that the defense has had hearsay 
authentication and relevance objections to and there 
was some confusion as to exactly what exhibits we were 
talking. I know we're talking about Prosecution 109. 
What are the other ones . 

MAJOR FEIN: 31 and 32. 

THE COURT: 33 and 34 are not being 
offered by the government . 

MAJOR FEIN: No, ma'am. 

THE COURT: Defense you already remained 
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the citing for these two exhibits to be taken out . 
MR. TOOMAN: Yes, ma'am. 

THE COURT: Okay. That would be at he 0930 
tomorrow. We also discussed the way ahead after that. 
Right now the parties are negotiating additional 
stipulations of expected testimony. They're in draft 
form. They've got to go back, both sides have to agree 
to stipulations of expected testimony as does PFC 
Manning in order for them to be introduced as evidence 
in lieu of witness testimony. That takes time. 

And the parties have advised — Major 
Fein, why don't you explain for the record what the 
parties would like to do. 

MAJOR FEIN: Your Honor, the defense and 
prosecution have agree to enter into the 17 more 
stipulations of expected testimony, and based off of 
the volume of the individual stipulations it will take 
both parties additional time in order to discuss the 
stipulations and come to an agreement and also provide 
certain ones to certain government organizations to 
have classification to be completed. 
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So the United States and defense came 
together and proposed that after tomorrow ' s oral 
argument the Court recesses until next Tuesday which 
would provide both parts at which time by the end of 
this week to have the stipulations completed and 
then to send those to the different government 
organizations and for them to come back based off of 
a court order by Wednesday of next week . 

If we reconvene, Your Honor, Tuesday of 
next week in a status hearing on the stipulations or 
any other issues that might arise and the goal then 
being on Wednesday the government resumes its case 
in chief by calling the next set of witnesses and 
reading the stipulations on the record. 

THE COURT: Is that the defense's 
understanding as well? 

MR. COOMBS: Yes, Your Honor. 

THE COURT: All right. And the Court did 
discuss with the parties this additional review by the 
other agency . That ' s between the government . You can 
certain have whoever you want to review it, but it's 
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not going delay the Court . I move to have the court 
order coming out saying it ' s going to be three business 
days and that ' s it . 

MAJOR FEIN: Yes, ma'am. 

THE COURT : So I ' 11 draft that order today 
and we ' 11 put that in as an Exhibit tomorrow . 

Is there anything else we need to 
address at this point? 

MR. COOMBS: No, Your Honor. 

MAJOR FEIN: No, Your Honor. 

THE COURT : The only thing I ' m thinking of 
based on the testimony of the last witness I had asked 
the parties to prepare briefs on value and money, and 
the government has withdrawn that part of his 
testimony. Does either party see the need for briefs 
at this time? 

MAJOR FEIN: No, ma'am. 

MR . COOMBS : No , ma ' am . 

MAJOR FEIN: There is one other 
administrative issue. Over the weekend there was an 
e-mail between the parties and the Court about not 
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calling sentencing witnesses prior to 8 July. I'll 
just put on the record that the United States based off 
of the defense not objecting and the Court approving 
that United States did notify all sentencing witnesses 
or is in the process of notifying prosecution and 
defense witnesses that would not be called any earlier 
than 8 July . 

THE COURT : That ' s fine . That was a series 
of that e-mails that went back and forth. The defense 
had no objection. And, again, looking at the schedule 
now and motions, certain motions that may arise and the 
length of potential defense case we may not even be at 
that point by July 8th. We will have to see how we 
address that as we go long. 

MAJOR FEIN: Yes, ma'am. 

MR. COOMBS: Yes, Your Honor. 

THE COURT: Anything else? 

MAJOR FEIN: No, ma'am. 

MR. COOMBS: No, ma'am. 

THE COURT: The Court is in recess. 
(Hearing adjourned at 6:25 p.m.) 
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